Commit 142eb1a0 authored by Ondřej Surý's avatar Ondřej Surý

Initialize global TLS credentials in the worker_ctx and initialize GnuTLS logging at global level

parent 436ba6b7
......@@ -563,26 +563,17 @@ For when listening on ``localhost`` just doesn't cut it.
50
> net.tcp_pipeline(100)
.. function:: net.tls_cert([path])
.. function:: net.tls([cert_path], [key_path])
Get/set path to a server TLS certificate for DNS/TLS.
Get/set path to a server TLS certificate and private key for DNS/TLS.
Example output:
.. code-block:: lua
> net.tls_cert("/etc/kresd/server-cert.pem")
> net.tls_cert("/etc/kresd/server-cert.pem", "/etc/kresd/server-key.pem")
> net.tls_cert()
/etc/kresd/server-cert.pem
.. function:: net.tls_key([path])
Get/set path to a server TLS private key.
.. code-block:: lua
> net.tls_cert("/etc/kresd/server-cert.pem")
> net.tls_key("/etc/kresd/server-key.pem")
("/etc/kresd/server-cert.pem", "/etc/kresd/server-key.pem")
> net.listen("::", 853)
> net.listen("::", 443, {tls = true})
......
......@@ -18,11 +18,13 @@
#include <uv.h>
#include <contrib/cleanup.h>
#include <libknot/descriptor.h>
#include <gnutls/gnutls.h>
#include "lib/cache.h"
#include "lib/cdb.h"
#include "daemon/bindings.h"
#include "daemon/worker.h"
#include "daemon/tls.h"
/** @internal Annotate for static checkers. */
KR_NORETURN int lua_error (lua_State *L);
......@@ -348,33 +350,24 @@ static int net_pipeline(lua_State *L)
return 1;
}
static int net_tls_cert(lua_State *L)
static int net_tls(lua_State *L)
{
struct engine *engine = engine_luaget(L);
if (!lua_isstring(L, 1)) {
lua_pushstring(L, engine->net.tls_cert);
return 1;
struct worker_ctx *worker = wrk_luaget(L);
if (!worker) {
return 0;
}
int r = network_set_tls_cert(&engine->net, lua_tostring(L, 1));
if (r != 0) {
lua_pushstring(L, strerror(ENOMEM));
lua_error(L);
if (lua_gettop(L) == 0) {
lua_pushfstring(L, "(\"%s\", \"%s\")", worker->tls_cert, worker->tls_key);
return 1;
}
lua_pushboolean(L, true);
return 1;
}
static int net_tls_key(lua_State *L)
{
struct engine *engine = engine_luaget(L);
if (!lua_isstring(L, 1)) {
lua_pushstring(L, engine->net.tls_key);
return 1;
if ((lua_gettop(L) != 2) || !lua_isstring(L, 1) || !lua_isstring(L, 2)) {
lua_pushstring(L, "net.tls takes two parameters: (\"cert_file\", \"key_file\")");
lua_error(L);
}
int r = network_set_tls_key(&engine->net, lua_tostring(L, 1));
int r = tls_certificate_set(worker, lua_tostring(L, 1), lua_tostring(L, 2));
if (r != 0) {
lua_pushstring(L, strerror(ENOMEM));
lua_error(L);
......@@ -393,8 +386,7 @@ int lib_net(lua_State *L)
{ "interfaces", net_interfaces },
{ "bufsize", net_bufsize },
{ "tcp_pipeline", net_pipeline },
{ "tls_cert", net_tls_cert },
{ "tls_key", net_tls_key },
{ "tls", net_tls },
{ NULL, NULL }
};
register_lib(L, "net", lib);
......
......@@ -34,6 +34,7 @@
#include "daemon/worker.h"
#include "daemon/engine.h"
#include "daemon/bindings.h"
#include "daemon/tls.h"
/* We can fork early on Linux 3.9+ and do SO_REUSEPORT for better performance. */
#if defined(UV_VERSION_HEX) && defined(SO_REUSEPORT) && defined(__linux__)
......@@ -380,6 +381,11 @@ void free_sd_socket_names(char **socket_names, int count)
free(socket_names);
}
static void kres_gnutls_log(int level, const char *message)
{
kr_log_error("[tls] gnutls: (%d) %s", level, message);
}
int main(int argc, char **argv)
{
int forks = 1;
......@@ -395,6 +401,7 @@ int main(int argc, char **argv)
const char *config = NULL;
char *keyfile_buf = NULL;
int control_fd = -1;
gnutls_certificate_credentials_t *x509_credentials;
/* Long options. */
int c = 0, li = 0, ret = 0;
......@@ -467,6 +474,8 @@ int main(int argc, char **argv)
break;
case 'v':
kr_debug_set(true);
/* FIXME: Experiment with various GnuTLS log levels */
gnutls_global_set_log_level(1);
break;
case 'q':
g_quiet = true;
......@@ -538,7 +547,10 @@ int main(int argc, char **argv)
kr_crypto_init();
/* Connect forks with local socket */
/* Setup a global GnuTLS logging function */
gnutls_global_set_log_function(kres_gnutls_log);
/* Connect forks with local socket */
fd_array_t ipc_set;
array_init(ipc_set);
/* Fork subprocesses if requested */
......
......@@ -101,10 +101,6 @@ void network_deinit(struct network *net)
map_walk(&net->endpoints, close_key, 0);
map_walk(&net->endpoints, free_key, 0);
map_clear(&net->endpoints);
free(net->tls_cert);
net->tls_cert = NULL;
free(net->tls_key);
net->tls_key = NULL;
}
}
......@@ -343,33 +339,3 @@ int network_close(struct network *net, const char *addr, uint16_t port)
return kr_ok();
}
static int str_replace(char **where_ptr, const char *with)
{
char *copy = with ? strdup(with) : NULL;
if (with && !copy) {
return kr_error(ENOMEM);
}
free(*where_ptr);
*where_ptr = copy;
return kr_ok();
}
int network_set_tls_cert(struct network *net, const char *value)
{
if (!net) {
return kr_error(EINVAL);
}
return str_replace(&net->tls_cert, value);
}
int network_set_tls_key(struct network *net, const char *value)
{
if (!net) {
return kr_error(EINVAL);
}
return str_replace(&net->tls_key, value);
}
......@@ -43,8 +43,6 @@ typedef array_t(struct endpoint*) endpoint_array_t;
struct network {
uv_loop_t *loop;
map_t endpoints;
char *tls_cert;
char *tls_key;
};
void network_init(struct network *net, uv_loop_t *loop);
......
This diff is collapsed.
......@@ -17,6 +17,7 @@
#pragma once
#include <uv.h>
#include <gnutls/gnutls.h>
#include <libknot/packet/pkt.h>
struct tls_ctx_t;
......@@ -26,3 +27,5 @@ void tls_free(struct tls_ctx_t* tls);
int tls_push(struct qr_task *task, uv_handle_t* handle, knot_pkt_t * pkt);
int tls_process(struct worker_ctx *worker, uv_stream_t *handle, const uint8_t *buf, ssize_t nread);
int tls_certificate_set(struct worker_ctx *worker, const char *tls_cert, const char *tls_key);
......@@ -1014,6 +1014,18 @@ void worker_reclaim(struct worker_ctx *worker)
mp_delete(worker->pkt_pool.ctx);
worker->pkt_pool.ctx = NULL;
map_clear(&worker->outgoing);
if (worker->tls_cert) {
free(worker->tls_cert);
worker->tls_cert = NULL;
}
if (worker->tls_key) {
free(worker->tls_key);
worker->tls_key = NULL;
}
if (worker->x509_credentials) {
gnutls_certificate_free_credentials(*worker->x509_credentials);
free(worker->x509_credentials);
}
}
#undef DEBUG_MSG
......@@ -16,6 +16,8 @@
#pragma once
#include <gnutls/gnutls.h>
#include "daemon/engine.h"
#include "lib/generic/array.h"
#include "lib/generic/map.h"
......@@ -55,6 +57,9 @@ struct worker_ctx {
mp_freelist_t pool_ioreq;
mp_freelist_t pool_sessions;
knot_mm_t pkt_pool;
gnutls_certificate_credentials_t *x509_credentials;
char *tls_cert;
char *tls_key;
};
/* Worker callback */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment