[sr-dev] git:andrei/tcp_tls_changes: tls: async support (major tls core rewrite)

Andrei Pelinescu-Onciul andrei at iptel.org
Thu May 20 19:12:04 CEST 2010 

Module: sip-router
Branch: andrei/tcp_tls_changes
Commit: 93c495f34ebb001f9509db82acad5a7483b61d41
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=93c495f34ebb001f9509db82acad5a7483b61d41

Author: Andrei Pelinescu-Onciul <andrei at iptel.org>
Committer: Andrei Pelinescu-Onciul <andrei at iptel.org>
Date:   Thu May 20 18:24:38 2010 +0200

tls: async support (major tls core rewrite)

The new tls hook interface (exported by the tcp code) is now used.
All the IO operations are made through a custom SSL BIO, that
reads and writes in some memory buffers (see tls_bio.h), while
externally emulating a socket.  This BIO provides in fact some
functions that will be called by the openssl code on IO.
In the case of a read event, the data is first read in memory
(using tcp_read_data()), then assigned to the BIO and after that
one of SSL_read(), SSL_connect/accept (if the connection is not
yet established) or SSL_write (if the last write wanted to read
some data due to re-keying) are called.  They will all read from
the custom BIO.  A SSL_read() might not use all the data (in some
very unlikely situations), so in this case the encrypted data is
queued and the tcp code is signaled (via some flags) that it
should repeat the read call when more space is available.
Writes are split in 2: 1st write on a new connection in async mode
and other writes (they need to be handled slightly differently).
The encrypted data will end up in a memory buffer (via SSL_write()
and the custom BIO). From there it will be either sent directly if
possible or queued (tcp_async).  In the case when the SSL_write()
needs to read some data (e.g. re-keying), the whole clear text
data will be queued and the SSL_write() will be retried on the
first read event.

There is no separate async mode for tls, if tcp is in async mode,
then tls will be too and vice versa.
Runtime tunning (queue sizes a.s.o) and statistics are missing for
now.

(C) and license changes:
 - moved tls_dump_verification_failure into a separate file
   (tls_dump_vf.c), out of tls_server.c.
 - the remaining tcp_server.[ch] code is either re-written (most of it,
   the entire read & write part) or comes from old iptel code =>
   changed the (c) to iptelorg only and the license to BSD-like
   (only for tcp_server.[ch]).

---

 modules/tls/tls_dump_vf.c |  144 ++++++
 modules/tls/tls_dump_vf.h |   41 ++
 modules/tls/tls_init.c    |    2 +
 modules/tls/tls_mod.c     |   34 +-
 modules/tls/tls_server.c  | 1105 ++++++++++++++++++++++++---------------------
 modules/tls/tls_server.h  |   76 ++--
 6 files changed, 831 insertions(+), 571 deletions(-)

Diff:   http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commitdiff;h=93c495f34ebb001f9509db82acad5a7483b61d41

More information about the sr-dev mailing list