<p><b>@henningw</b> commented on this pull request.</p>
<hr>
<p>In <a href="https://github.com/kamailio/kamailio/pull/1484#discussion_r176005262">src/modules/tls/tls_domain.c</a>:</p>
<pre style='color:#555'>> @@ -1113,7 +1119,73 @@ static int passwd_cb(char *buf, int size, int rwflag, void *filename)
#endif
}
+#ifndef OPENSSL_NO_ENGINE
+/**
</pre>
<p>Great that you added doxygen comments</p>
<hr>
<p>In <a href="https://github.com/kamailio/kamailio/pull/1484#discussion_r176009555">src/modules/tls/tls_mod.c</a>:</p>
<pre style='color:#555'>> @@ -496,3 +527,59 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2)
return 0;
}
+
+
+
+#ifndef OPENSSL_NO_ENGINE
+/*
+ * initialize OpenSSL engine in child process
+ * PKCS#11 libraries are not guaranteed to be fork() safe
+ *
+ */
+static int engine_init()
+{
+ /*
</pre>
<p>As discussed, this should be either in the module README or as dedicated cfg example in the module dir.</p>
<hr>
<p>In <a href="https://github.com/kamailio/kamailio/pull/1484#discussion_r176010279">src/modules/tls/tls_mod.c</a>:</p>
<pre style='color:#555'>> + *
+ * # OpenSSL config file: /usr/local/etc/kamailio/tls_gemalto.conf
+ * # https://www.openssl.org/docs/manmaster/man5/config.html
+ * # /usr/lib64/openssl/engines/libgem.so is the Gemalto OpenSSL engine for CloudHSM/SafeNet Luna
+ *
+ * kamailio = kamailio_init
+ * [kamailio_init]
+ * engines = engine_section
+ * [engine_section]
+ * gem = gemalto_section
+ * [ gemalto_section ]
+ * # engines support ctrl strings; this is Gemalto specific
+ * # ENGINE_INIT = <slot>:<appid>:<appid>:password=<slot-password>
+ * ENGINE_INIT = 0:23:24:password=1233-ABCD-EFGH-XY32
+ */
+ LM_INFO("With OpenSSL engine support\n");
</pre>
<p>Is this an information for the user? Otherwise change it to debug level.</p>
<hr>
<p>In <a href="https://github.com/kamailio/kamailio/pull/1484#discussion_r176010648">src/modules/tls/tls_mod.h</a>:</p>
<pre style='color:#555'>> @@ -30,6 +30,15 @@
#include "../../core/locking.h"
#include "tls_domain.h"
+#ifndef OPENSSL_NO_ENGINE
+typedef struct tls_engine {
+ str engine;
+ str engine_config;
+ str engine_algorithms;
+} tls_engine_t;
+#include <openssl/conf.h>
</pre>
<p>I think you don't need this includes in the header file, consider move this to the tls_mod.c file.</p>
<hr>
<p>In <a href="https://github.com/kamailio/kamailio/pull/1484#discussion_r176010671">src/modules/tls/tls_mod.h</a>:</p>
<pre style='color:#555'>> @@ -30,6 +30,15 @@
#include "../../core/locking.h"
#include "tls_domain.h"
+#ifndef OPENSSL_NO_ENGINE
+typedef struct tls_engine {
+ str engine;
+ str engine_config;
+ str engine_algorithms;
+} tls_engine_t;
+#include <openssl/conf.h>
+#include <openssl/engine.h>
</pre>
<p>same</p>
<hr>
<p>In <a href="https://github.com/kamailio/kamailio/pull/1484#discussion_r176011415">src/modules/tls/tls_mod.c</a>:</p>
<pre style='color:#555'>> + err = CONF_modules_load_file(engine_settings.engine_config.s, "kamailio", 0);
+ if (!err) goto error;
+ }
+ engine = ENGINE_by_id(engine_settings.engine.s);
+ if (!engine) goto error;
+ err = ENGINE_init(engine);
+ if (!err) goto error;
+ if (strncmp(engine_settings.engine_algorithms.s, "NONE", 4)) {
+ err = ENGINE_set_default_string(engine, engine_settings.engine_algorithms.s);
+ if (!err) goto error;
+ }
+ LM_INFO("OpenSSL engine %*s initialized\n", engine_settings.engine.len, engine_settings.engine.s);
+ }
+ return 0;
+error:
+ return -1;
</pre>
<p>It would be great to add some error logging here, to give some hints to the user that the engine, the engine config or the algorithm setting failed.</p>
<hr>
<p>In <a href="https://github.com/kamailio/kamailio/pull/1484#discussion_r176012977">src/modules/tls/tls_domain.c</a>:</p>
<pre style='color:#555'>> + * @return 0 on success, -1 on error
+ *
+ * Do this in mod_child() as PKCS#11 libraries are not guaranteed
+ * to be fork() safe
+ *
+ * private_key setting which starts with /engine: is assumed to be
+ * an HSM key and not a file-based key
+ */
+static int load_engine_private_key(tls_domain_t* d)
+{
+ int idx, ret_pwd, i;
+ EVP_PKEY *pkey;
+ int procs_no;
+
+ if (!d->pkey_file.s || !d->pkey_file.len) {
+ DBG("%s: No private key specified\n", tls_domain_str(d));
</pre>
<p>Is there a valid condition that we should continue here without an private key? If not, we should log an error and return -1, or I am wrong?</p>
<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/kamailio/kamailio/pull/1484#pullrequestreview-105629697">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AF36ZYCPhMSfO7cQzEis_qqBJz27j0xmks5tghbwgaJpZM4SsL5H">mute the thread</a>.<img src="https://github.com/notifications/beacon/AF36ZT8EHk0aQ5p9MFQ-O6c6sN-3ifVKks5tghbwgaJpZM4SsL5H.gif" height="1" width="1" alt="" /></p>
<div itemscope itemtype="http://schema.org/EmailMessage">
<div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
<link itemprop="url" href="https://github.com/kamailio/kamailio/pull/1484#pullrequestreview-105629697"></link>
<meta itemprop="name" content="View Pull Request"></meta>
</div>
<meta itemprop="description" content="View this Pull Request on GitHub"></meta>
</div>
<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/kamailio/kamailio","title":"kamailio/kamailio","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/kamailio/kamailio"}},"updates":{"snippets":[{"icon":"PERSON","message":"@henningw commented on #1484"}],"action":{"name":"View Pull Request","url":"https://github.com/kamailio/kamailio/pull/1484#pullrequestreview-105629697"}}}</script>