Hi,
this is a major patch to current CVS tree to support SSLv3 for all
HTTP servers that are used within Kannel. Mainly it supports currently
the bearerbox admin and sendsms HTTP server by configuration file
directives, but may be extended to include PPG's HTTP server too.
Please review the changes and commit to CVS: Bruno, Nick, Jarkko,
Andreas?!
What about CVS access to commit changes, Nick?
Here are the changes:
* config.h.in: added OPENSSL_VERSION to print out the used version
in gw/shared.c
* configure.in: changed the way HAVE_LIBSSL is detected and set.
Current configure does not detect openssl when it is installed in it's
standard /usr/local/ssl location. BTW, most openssl installations need
-lcrypto too when linking SSL stuff in -lssl.
* gw/bb_boxc.c: changed conn_wrap_fd() prototype call (see
gwlin/conn.c)
* gw/bb_http.c: required additions in httpadmin_start() to detect in
the config file (core group) if the admin HTTP server should use SSL,
indicated by "admin-port-ssl = yes", then load the global server
certificate and key. Changed http_open_port() prototype call (see
gwlib/http.c)
* gw/cert.pem: added x509 PEM encoded sample public certificate used
in gw/smskannel-ssl.conf.
* gw/key.pem: added x509 PEM encoded sample private key used in
gw/smskannel-ssl.conf.
* gw/shared.c: added use of OPENSSL_VERSION to print when starting.
* gw/smsbox.c: required additions in init_smsbox() to detect in the
config file (smsbox group) if the sendsms HTTP server should use SSL,
indicated by "sendsms-port-ssl = yes", then load the global server
certificate and key. Changed http_open_port() prototype call (see
gwlib/http.c)
* gw/smsc_emi2.c: changed conn_wrap_fd() prototype call (see
gwlin/conn.c)
* gw/smsc_fake.c: changed conn_wrap_fd() prototype call (see
gwlin/conn.c)
* gw/smsc_http.c: changed http_open_port() prototype call (see
gwlib/http.c)
* gw/smskannel-ssl.conf: added sample configuration file for SSL
enabled HTTP servers using sample certificate (cert.pem) and key
(key.pem).
* gw/wap_push_ppg.c: changed http_open_port() prototype call (see
gwlib/http.c)
* gwlib/cfg.def: added "admin-port-ssl" to core group and
"sendsms-port-ssl" to smsbox group. Changed "ssl-certkey-file" to
"ssl-client-certkey-file" to make it more semantic and added
"ssl-server-cert-file" and "ssl-server-key-file" within the core group
for the server side.
* gwlib/conn.c: added global server SSL context, X509 cert and RSA
key for server side. Changed conn_wrap_fd() to include ssl enable or
disable flag and included the SSL magic here. Added tmp_rsa_callback()
function for the private RSA key. Added server side mutex. Added
server_ssl_int() function which initialized server side SSL stuff.
Added server_shutdown_ssl() function which is used for server side
shutdown. Changed use_client_certkey_file() prototype to
use_global_client_certkey_file() to be more semantic. Added
use_global_server_certkey_file() routine to load global server
certificate and private key.
* gwlib/conn.h: changed prototype definition for conn_wrap_fd().
Added prototype definitions for openssl_locking_function(),
server_init_ssl(), server_shutdown_ssl(). Changed prototype name
use_client_certkey_file() to use_global_client_certkey_file(). Added
prototype definition for use_global_server_certkey_file().
* gwlib/http.c: added int ssl to struct server to reflect if this
server is SSL enabled. Added array int ssl[MAX_SERVERS] within
server_thread() to reflect which servers are SSL enabled and how
conn_wrap_fd() has to be called. Changed http_open_port() to include
boolean flag if this port is used for an SSL enabled server. Added
server_ssl_init() call within http_init(). Added server_shutdown_ssl()
all within http_shutdown().
* gwlib/http.h: changed prototype definition for http_open_port().
* test/drive_smpp.c: changed conn_wrap_fd() prototype call (see
gwlin/conn.c)
* test/drive_wapbox.c: changed http_open_port() prototype call (see
gwlib/http.c) and conn_wrap_fd() prototype call (see gwlin/conn.c)
* test/test_http_server.c: changed http_open_port() prototype call
(see gwlib/http.c)
* test/test_smsc.c: changed http_open_port() prototype call (see
gwlib/http.c) and conn_wrap_fd() prototype call (see gwlin/conn.c)
Puh, that's it! -- Have fun.
Stipe
[EMAIL PROTECTED]
-------------------------------------------------------------------
Wapme Systems AG
Münsterstr. 248
40470 Düsseldorf
Tel: +49-211-74845-0
Fax: +49-211-74845-299
E-Mail: [EMAIL PROTECTED]
Internet: http://www.wapme-systems.de
-------------------------------------------------------------------
wapme.net - wherever you are
diff -urN gateway/config.h.in gateway-2001-10-11-ssl/config.h.in
--- gateway/config.h.in Fri Jul 6 07:49:42 2001
+++ gateway-2001-10-11-ssl/config.h.in Thu Oct 11 21:13:54 2001
@@ -113,6 +113,9 @@
/* Define if you have and want to use the ssl library (-lssl) */
#undef HAVE_LIBSSL
+/* Define which version is used for the ssl library */
+#undef OPENSSL_VERSION
+
/* Defined if we're using OpenSSL WTLS */
#undef HAVE_WTLS_OPENSSL
diff -urN gateway/configure.in gateway-2001-10-11-ssl/configure.in
--- gateway/configure.in Mon Sep 3 21:55:10 2001
+++ gateway-2001-10-11-ssl/configure.in Thu Oct 11 21:14:48 2001
@@ -369,7 +369,7 @@
SSL="ssl"
AC_ARG_ENABLE(ssl,
-[ --enable-ssl enable support for ssl and https (default: enabled)], [
+[ --enable-ssl enable support for ssl and https (default: enabled)], [
if test "$enableval" = no ; then
echo Disabling SSL support.
SSL="no-ssl";
@@ -378,9 +378,22 @@
if test "x$SSL" = "xssl" ; then
echo Attempting to compile with SSL support.
- AC_CHECK_LIB(ssl, SSL_library_init,
- [ AC_MSG_CHECKING(whether the OpenSSL library is multithread-enabled)
- AC_TRY_RUN([ #define OPENSSL_THREAD_DEFINES
+ AC_CHECK_LIB(crypto, SSLeay_version,
+ [ LIBS="$LIBS -lcrypto"
+ AC_CHECK_LIB(ssl, SSL_library_init,
+ [ AC_CHECK_HEADERS(openssl/ssl.h openssl/err.h)
+ AC_PATH_PROG(OPENSSL, openssl, no)
+ if test "$OPENSSL" != "yes"; then
+ AC_MSG_CHECKING([ssl version])
+ openssl_version=`openssl version`
+ AC_MSG_RESULT([$openssl_version])
+ AC_DEFINE_UNQUOTED(OPENSSL_VERSION, "$openssl_version")
+ AC_DEFINE_UNQUOTED(VERSION, "`head -1 VERSION` (OpenSSL)")
+ else
+ AC_DEFINE_UNQUOTED(OPENSSL_VERSION, "no SSL library")
+ fi
+ AC_MSG_CHECKING(whether the OpenSSL library is multithread-enabled)
+ AC_TRY_RUN([ #define OPENSSL_THREAD_DEFINES
#include <openssl/opensslconf.h>
int main(void) {
#if defined(THREADS)
@@ -390,11 +403,12 @@
#endif
}
], echo yes;AC_DEFINE(HAVE_LIBSSL)
- LIBS="$LIBS -lssl",
- echo no;echo Either get a multithread-enabled SSL or configure with
--disable-ssl;
- exit 1,
+ LIBS="$LIBS -lssl -lcrypto",
+ echo no;AC_DEFINE(HAVE_LIBSSL)
+ LIBS="$LIBS -lssl -lcrypto";echo "WARNING: OpenSSL is not
+multithread-enabled!",
echo "Cross-compiling; make sure your SSL library is
multithread-enabled"
- )
+ )
+ ])
])
fi
diff -urN gateway/gw/bb_boxc.c gateway-2001-10-11-ssl/gw/bb_boxc.c
--- gateway/gw/bb_boxc.c Mon Oct 8 19:43:04 2001
+++ gateway-2001-10-11-ssl/gw/bb_boxc.c Thu Oct 11 21:15:32 2001
@@ -257,7 +257,7 @@
boxc = gw_malloc(sizeof(Boxc));
boxc->is_wap = 0;
boxc->load = 0;
- boxc->conn = conn_wrap_fd(fd);
+ boxc->conn = conn_wrap_fd(fd, 0);
boxc->id = boxid++; /* XXX MUTEX! fix later... */
boxc->client_ip = ip;
boxc->alive = 1;
diff -urN gateway/gw/bb_http.c gateway-2001-10-11-ssl/gw/bb_http.c
--- gateway/gw/bb_http.c Sat Jul 28 03:13:24 2001
+++ gateway-2001-10-11-ssl/gw/bb_http.c Thu Oct 11 21:16:56 2001
@@ -283,6 +283,11 @@
int httpadmin_start(Cfg *cfg)
{
CfgGroup *grp;
+ int ssl = 0;
+#ifdef HAVE_LIBSSL
+ Octstr *ssl_server_cert_file;
+ Octstr *ssl_server_key_file;
+#endif /* HAVE_LIBSSL */
if (httpadmin_running) return -1;
@@ -299,8 +304,29 @@
ha_allow_ip = cfg_get(grp, octstr_imm("admin-allow-ip"));
ha_deny_ip = cfg_get(grp, octstr_imm("admin-deny-ip"));
+
+#ifdef HAVE_LIBSSL
+ cfg_get_bool(&ssl, grp, octstr_imm("admin-port-ssl"));
- http_open_port(ha_port);
+ /*
+ * check if SSL is desired for HTTP servers and then
+ * load SSL client and SSL server public certificates
+ * and private keys
+ */
+ ssl_server_cert_file = cfg_get(grp, octstr_imm("ssl-server-cert-file"));
+ ssl_server_key_file = cfg_get(grp, octstr_imm("ssl-server-key-file"));
+ if (ssl_server_cert_file != NULL && ssl_server_key_file != NULL) {
+ use_global_server_certkey_file(ssl_server_cert_file,
+ ssl_server_key_file);
+ } else if (ssl) {
+ panic(0, "You MUST specify cert and key files within core group for SSL!");
+ }
+
+ octstr_destroy(ssl_server_cert_file);
+ octstr_destroy(ssl_server_key_file);
+#endif /* HAVE_LIBSSL */
+
+ http_open_port(ha_port, ssl);
if (gwthread_create(httpadmin_run, NULL) == -1)
panic(0, "Failed to start a new thread for HTTP admin");
diff -urN gateway/gw/cert.pem gateway-2001-10-11-ssl/gw/cert.pem
--- gateway/gw/cert.pem Thu Jan 1 00:00:00 1970
+++ gateway-2001-10-11-ssl/gw/cert.pem Thu Oct 11 22:01:36 2001
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRDCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBqTELMAkGA1UEBhMCWFkx
+FTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25ha2UgVG93bjEXMBUG
+A1UEChMOU25ha2UgT2lsLCBMdGQxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhv
+cml0eTEVMBMGA1UEAxMMU25ha2UgT2lsIENBMR4wHAYJKoZIhvcNAQkBFg9jYUBz
+bmFrZW9pbC5kb20wHhcNOTkxMDIxMTgyMTQ2WhcNMDExMDIwMTgyMTQ2WjCBqTEL
+MAkGA1UEBhMCWFkxFTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25h
+a2UgVG93bjEXMBUGA1UEChMOU25ha2UgT2lsLCBMdGQxHjAcBgNVBAsTFUNlcnRp
+ZmljYXRlIEF1dGhvcml0eTEVMBMGA1UEAxMMU25ha2UgT2lsIENBMR4wHAYJKoZI
+hvcNAQkBFg9jYUBzbmFrZW9pbC5kb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBANiTGAmWoiB2Qx3SbwFXwjbqU9ZwnfBE5Er1h1kNh487D782I8mcT/CzxmsH
+evK3heBKTEno+jB0y5p4+QShxryaMUUbRoOGfrlrVwc/dbwJQz7UNyqDlWnvnW4p
+TfdVd+8JlCpYFB23Z7bmpUV1Xy6VFKBahzIhzITaux1vvEPLAgMBAAGjejB4MBoG
+A1UdEQQTMBGBD2NhQHNuYWtlb2lsLmRvbTAPBgNVHRMECDAGAQH/AgEAMDYGCWCG
+SAGG+EIBDQQpFidtb2Rfc3NsIGdlbmVyYXRlZCBjdXN0b20gQ0EgY2VydGlmaWNh
+dGUwEQYJYIZIAYb4QgEBBAQDAgIEMA0GCSqGSIb3DQEBBAUAA4GBAImhzPY4PBRt
+PQbAQBAmHIBRcb69iTbFC+dghnVJQ3F549rZapY420kQDKQ6aCybPFmxJ/Rf27gY
+FuAuo+B8EEVX0lU8VUSEhYQedODnQ3skwcT02g4b33GkzH7ED2N9kaa6U65UUrcE
+KXJgz7tmAQHnTc9K1g2qIApIjnr3FrrJ
+-----END CERTIFICATE-----
diff -urN gateway/gw/key.pem gateway-2001-10-11-ssl/gw/key.pem
--- gateway/gw/key.pem Thu Jan 1 00:00:00 1970
+++ gateway-2001-10-11-ssl/gw/key.pem Thu Oct 11 22:01:42 2001
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDYkxgJlqIgdkMd0m8BV8I26lPWcJ3wRORK9YdZDYePOw+/NiPJ
+nE/ws8ZrB3ryt4XgSkxJ6PowdMuaePkEoca8mjFFG0aDhn65a1cHP3W8CUM+1Dcq
+g5Vp751uKU33VXfvCZQqWBQdt2e25qVFdV8ulRSgWocyIcyE2rsdb7xDywIDAQAB
+AoGAEIvUZ08h3dcLM6kTIAgjZ2ypsRVzi5rH0k5F4/DbrX62qkYpn8qYdOxXOXAd
+3ZNV4BftEiyBiNgzgf7CD6+IblZUqkc1dUc96AJH16CUXM/favAHhIoSdyhrnAH8
+O9UN1KxlzUpvLDOelbOdL4/4sQ0XXqd9DJcZkeKc4zCi35kCQQD43SlsTDBeO7ae
+Ig5qnJ/g2V2V4bPh1xTH7LjxthsksOqPUEt3DgRmRVq+qeDyyxN49V9uFYf8oXDl
+1FchPranAkEA3sjny2sxBNIBGtPVLGFl+aukBRkNOdmssVcBudsnigOEL0lbd4Wu
+07ok0zeCuAu+yHRYJKY4eqWVGQJ/DtUSPQJBAIqxVuCQJXSe+stuV3J7D28UNN/P
+BZ0bbO1utDOhNcdhAZgVO7mCClmk1UnlCwTEwHls5l5HiZ31qyGrEVPpy4kCQDfR
+VmIdBTcT9rrmAC8SaB5Z5spwMGQiKaZ1CjWqtwlZQDEozAXyNI9PwBI7gkDikHZg
+0AS+sL/p5KVTfsoUkHECQQDWCSgpZ8k7EajS1RWIGH/GcFT/GaKX8yiMIP2S3Atc
+nl7yMj8yw+1N503FF0aRwimryXQt/VHVYjtYsSAgNU/i
+-----END RSA PRIVATE KEY-----
diff -urN gateway/gw/shared.c gateway-2001-10-11-ssl/gw/shared.c
--- gateway/gw/shared.c Thu Oct 11 17:18:34 2001
+++ gateway-2001-10-11-ssl/gw/shared.c Thu Oct 11 21:17:32 2001
@@ -34,13 +34,15 @@
"System %s, release %s, version %s, machine %s.\n"
"Hostname %s, IP %s.\n"
"Libxml version %s.\n"
- "Using %s malloc.\n",
+ "Using %s\n",
+ "Using %s malloc.\n",
boxname, VERSION,
u.sysname, u.release, u.version, u.machine,
octstr_get_cstr(get_official_name()),
octstr_get_cstr(get_official_ip()),
LIBXML_VERSION_STRING,
- octstr_get_cstr(gwmem_type()));
+ OPENSSL_VERSION,
+ octstr_get_cstr(gwmem_type()));
}
diff -urN gateway/gw/smsbox.c gateway-2001-10-11-ssl/gw/smsbox.c
--- gateway/gw/smsbox.c Thu Oct 11 17:18:34 2001
+++ gateway-2001-10-11-ssl/gw/smsbox.c Thu Oct 11 21:21:22 2001
@@ -1807,8 +1807,11 @@
List *http_proxy_exceptions = NULL;
Octstr *http_proxy_username = NULL;
Octstr *http_proxy_password = NULL;
+ int ssl = 0;
#ifdef HAVE_LIBSSL
- Octstr *ssl_certkey_file;
+ Octstr *ssl_client_certkey_file;
+ Octstr *ssl_server_cert_file;
+ Octstr *ssl_server_key_file;
#endif /* HAVE_LIBSSL */
@@ -1839,10 +1842,26 @@
http_proxy_exceptions = cfg_get_list(grp,
octstr_imm("http-proxy-exceptions"));
#ifdef HAVE_LIBSSL
- ssl_certkey_file = cfg_get(grp, octstr_imm("ssl-certkey-file"));
- if (ssl_certkey_file != NULL)
- use_global_certkey_file(ssl_certkey_file);
- octstr_destroy(ssl_certkey_file);
+ /*
+ * check if SSL is desired for HTTP servers and then
+ * load SSL client and SSL server public certificates
+ * and private keys
+ */
+ ssl_client_certkey_file = cfg_get(grp, octstr_imm("ssl-client-certkey-file"));
+ if (ssl_client_certkey_file != NULL)
+ use_global_client_certkey_file(ssl_client_certkey_file);
+ ssl_server_cert_file = cfg_get(grp, octstr_imm("ssl-server-cert-file"));
+ ssl_server_key_file = cfg_get(grp, octstr_imm("ssl-server-key-file"));
+ if (ssl_server_cert_file != NULL && ssl_server_key_file != NULL) {
+ use_global_server_certkey_file(ssl_server_cert_file,
+ ssl_server_key_file);
+ } else if (ssl) {
+ panic(0, "You MUST specify cert and key files within core group for SSL!");
+ }
+
+ octstr_destroy(ssl_client_certkey_file);
+ octstr_destroy(ssl_server_cert_file);
+ octstr_destroy(ssl_server_key_file);
#endif /* HAVE_LIBSSL */
/*
@@ -1891,6 +1910,10 @@
cfg_get_integer(&sendsms_port, grp, octstr_imm("sendsms-port"));
cfg_get_integer(&sms_max_length, grp, octstr_imm("sms-length"));
+#ifdef HAVE_LIBSSL
+ cfg_get_bool(&ssl, grp, octstr_imm("sendsms-port-ssl"));
+#endif /* HAVE_LIBSSL */
+
global_sender = cfg_get(grp, octstr_imm("global-sender"));
accepted_chars = cfg_get(grp, octstr_imm("sendsms-chars"));
logfile = cfg_get(grp, octstr_imm("log-file"));
@@ -1917,7 +1940,7 @@
}
if (sendsms_port > 0) {
- if (http_open_port(sendsms_port) == -1) {
+ if (http_open_port(sendsms_port, ssl) == -1) {
if (only_try_http)
error(0, "Failed to open HTTP socket, ignoring it");
else
diff -urN gateway/gw/smsc_emi2.c gateway-2001-10-11-ssl/gw/smsc_emi2.c
--- gateway/gw/smsc_emi2.c Thu Oct 11 18:53:42 2001
+++ gateway-2001-10-11-ssl/gw/smsc_emi2.c Thu Oct 11 21:21:42 2001
@@ -1035,7 +1035,7 @@
close(s);
continue;
}
- server = conn_wrap_fd(s);
+ server = conn_wrap_fd(s, 0);
if (server == NULL) {
error(0, "emi2_listener: conn_wrap_fd failed on accept()ed fd");
octstr_destroy(ip);
diff -urN gateway/gw/smsc_fake.c gateway-2001-10-11-ssl/gw/smsc_fake.c
--- gateway/gw/smsc_fake.c Mon Oct 8 19:43:04 2001
+++ gateway-2001-10-11-ssl/gw/smsc_fake.c Thu Oct 11 21:21:56 2001
@@ -250,7 +250,7 @@
close(s);
continue;
}
- client = conn_wrap_fd(s);
+ client = conn_wrap_fd(s, 0);
if (client == NULL) {
error(0, "fake_listener: conn_wrap_fd failed on accept()ed fd");
octstr_destroy(ip);
diff -urN gateway/gw/smsc_http.c gateway-2001-10-11-ssl/gw/smsc_http.c
--- gateway/gw/smsc_http.c Thu Sep 27 13:21:34 2001
+++ gateway-2001-10-11-ssl/gw/smsc_http.c Thu Oct 11 21:23:38 2001
@@ -395,6 +395,7 @@
ConnData *conndata = NULL;
Octstr *type;
long portno; /* has to be long because of cfg_get_integer */
+ int ssl = 0; /* indicate if SSL-enabled server should be used */
if (cfg_get_integer(&portno, cfg, octstr_imm("port")) == -1) {
error(0, "'port' invalid in smsc 'http' record.");
@@ -448,7 +449,7 @@
conn->queued = httpsmsc_queued;
conn->send_msg = httpsmsc_send;
- if (http_open_port(portno)==-1)
+ if (http_open_port(portno, ssl)==-1)
goto error;
conndata->port = portno;
diff -urN gateway/gw/smskannel-ssl.conf gateway-2001-10-11-ssl/gw/smskannel-ssl.conf
--- gateway/gw/smskannel-ssl.conf Thu Jan 1 00:00:00 1970
+++ gateway-2001-10-11-ssl/gw/smskannel-ssl.conf Thu Oct 11 22:07:20 2001
@@ -0,0 +1,99 @@
+#
+# THIS IS A SAMPLE CONFIGURATION FOR SMS KANNEL
+# (using SSL enabled HTTP servers)
+#
+# It is run like this:
+#
+# 1% gw/bearerbox gw/smskannel.conf
+# 2% gw/smsbox gw/smskannel.conf
+# 3% test/fakesmsc -p 10000 -H localhost -i 1 -m 100 "123 345 text nop"
+#
+# ..all 3 commands in separate shells (or screen sessions)
+#
+# For any modifications to this file, see Kannel User Guide
+# If that does not help, send email to [EMAIL PROTECTED]
+#
+# Kalle Marjola May 2000
+# Changed for new fakesmsc version by Uoti Urpala Jan 2001
+# Added service and sendsms for HTTP SMSC by Kalle Marjola Mar 2001
+#
+
+group = core
+admin-port = 13000
+admin-port-ssl = yes
+smsbox-port = 13001
+admin-password = bar
+#status-password = foo
+#admin-deny-ip = ""
+#admin-allow-ip = ""
+#log-file = "/tmp/kannel.log"
+#log-level = 0
+box-deny-ip = "*.*.*.*"
+box-allow-ip = "127.0.0.1"
+unified-prefix = "00358,0"
+#access-log = "access.log"
+#store-file = "kannel.store"
+#ssl-client-certkey-file = "mycertandprivkeyfile.pem"
+ssl-server-cert-file = "cert.pem"
+ssl-server-key-file = "key.pem"
+
+# SMSC CONNECTIONS
+
+group = smsc
+smsc = fake
+smsc-id = FAKE
+port = 10000
+connect-allow-ip = 127.0.0.1
+
+
+# SMSBOX SETUP
+
+group = smsbox
+bearerbox-host = localhost
+sendsms-port = 13013
+sendsms-port-ssl = yes
+global-sender = 13013
+#sendsms-chars = "0123456789 +-"
+#log-file = "/tmp/smsbox.log"
+#log-level = 0
+#access-log = "access.log"
+
+
+# SEND-SMS USERS
+
+group = sendsms-user
+username = tester
+password = foobar
+#user-deny-ip = ""
+#user-allow-ip = ""
+
+# this sender is for Kannel relay testing (http_smsc)
+
+group = sendsms-user
+username = kannel
+password = rL4y
+user-deny-ip = "*.*.*.*"
+user-allow-ip = "127.0.0.1"
+
+
+# SERVICES
+
+group = sms-service
+keyword = nop
+text = "You asked nothing and I did it!"
+
+# this service is for Kannel relay testing, when this Kannel
+# works as relay gateway
+
+group = sms-service
+keyword = relay
+get-url = "http://localhost:15130/sms?user=kannel&pass=rL4y&from=%p&to=%P&text=%r";
+max-messages = 0
+
+
+# there should be default always
+
+group = sms-service
+keyword = default
+text = "No service spesified"
+
diff -urN gateway/gw/wap_push_ppg.c gateway-2001-10-11-ssl/gw/wap_push_ppg.c
--- gateway/gw/wap_push_ppg.c Wed Oct 10 13:59:22 2001
+++ gateway-2001-10-11-ssl/gw/wap_push_ppg.c Thu Oct 11 21:24:20 2001
@@ -235,6 +235,8 @@
void wap_push_ppg_init(wap_dispatch_func_t *ota_dispatch,
wap_dispatch_func_t *appl_dispatch)
{
+ int ssl = 0; /* indicate if SSL-enabled server should be used */
+
ppg_queue = list_create();
list_add_producer(ppg_queue);
push_id_counter = counter_create();
@@ -244,7 +246,7 @@
dispatch_to_ota = ota_dispatch;
dispatch_to_appl = appl_dispatch;
- http_open_port(HTTP_PORT);
+ http_open_port(HTTP_PORT, ssl);
http_clients = dict_create(NUMBER_OF_PUSHES, NULL);
urls = dict_create(NUMBER_OF_PUSHES, octstr_destroy_item);
diff -urN gateway/gwlib/cfg.def gateway-2001-10-11-ssl/gwlib/cfg.def
--- gateway/gwlib/cfg.def Thu Oct 11 17:18:34 2001
+++ gateway-2001-10-11-ssl/gwlib/cfg.def Thu Oct 11 21:25:22 2001
@@ -20,6 +20,7 @@
SINGLE_GROUP(core,
OCTSTR(admin-port)
+ OCTSTR(admin-port-ssl)
OCTSTR(admin-password)
OCTSTR(status-password)
OCTSTR(admin-deny-ip)
@@ -43,7 +44,9 @@
OCTSTR(http-proxy-exceptions)
OCTSTR(http-proxy-username)
OCTSTR(http-proxy-password)
- OCTSTR(ssl-certkey-file)
+ OCTSTR(ssl-client-certkey-file)
+ OCTSTR(ssl-server-cert-file)
+ OCTSTR(ssl-server-key-file)
)
@@ -75,6 +78,7 @@
SINGLE_GROUP(smsbox,
OCTSTR(bearerbox-host)
OCTSTR(sendsms-port)
+ OCTSTR(sendsms-port-ssl)
OCTSTR(sendsms-chars)
OCTSTR(global-sender)
OCTSTR(log-file)
diff -urN gateway/gwlib/conn.c gateway-2001-10-11-ssl/gwlib/conn.c
--- gateway/gwlib/conn.c Mon Oct 8 19:43:04 2001
+++ gateway-2001-10-11-ssl/gwlib/conn.c Thu Oct 11 21:32:58 2001
@@ -3,6 +3,12 @@
* This file implements the interface defined in conn.h.
*
* Richard Braakman
+ *
+ * SSL client implementation contributed by
+ * Jarkko Kovala <[EMAIL PROTECTED]>
+ *
+ * SSL server implementation contributed by
+ * Stipe Tolj <[EMAIL PROTECTED]> for Wapme Systems AG
*/
/* TODO: unlocked_close() on error */
@@ -22,6 +28,9 @@
#include <openssl/ssl.h>
SSL_CTX *global_ssl_context;
+SSL_CTX *global_server_ssl_context;
+X509 *ssl_public_cert;
+RSA *ssl_private_key;
#endif /* HAVE_LIBSSL */
/*
@@ -386,13 +395,14 @@
NULL : octstr_get_cstr(our_host));
if (sockfd < 0)
return NULL;
- return conn_wrap_fd(sockfd);
+ return conn_wrap_fd(sockfd, 0);
}
-Connection *conn_wrap_fd(int fd)
+Connection *conn_wrap_fd(int fd, int ssl)
{
Connection *conn;
+ unsigned long err;
if (socket_set_blocking(fd, 0) < 0)
return NULL;
@@ -418,12 +428,51 @@
conn->listening_pollin = 0;
conn->listening_pollout = 0;
#ifdef HAVE_LIBSSL
- conn->ssl = NULL;
- conn->peer_certificate = NULL;
- conn->ssl_mutex = NULL;
+ /*
+ * do all the SSL magic for this connection
+ */
+ if (ssl) {
+ conn->ssl = SSL_new(global_server_ssl_context);
+ conn->peer_certificate = NULL;
+
+ SSL_set_fd(conn->ssl, conn->fd);
+ /*
+ if (!SSL_use_RSAPrivateKey(conn->ssl, ssl_private_key)) {
+ error(0, "SSL: could not use private key for server connection!");
+ SSL_free(conn->ssl);
+ goto error;
+ }
+ if (!SSL_use_certificate(conn->ssl, ssl_public_cert)) {
+ error(0, "SSL: could not use public certificate for server connection!");
+ SSL_free(conn->ssl);
+ goto error;
+ }
+ */
+ SSL_set_verify(conn->ssl, 0, NULL);
+ BIO_set_nbio(SSL_get_rbio(conn->ssl), 0);
+ BIO_set_nbio(SSL_get_wbio(conn->ssl), 0);
+
+ conn->ssl_mutex = mutex_create();
+ if (!SSL_accept(conn->ssl)) {
+ if ((err = ERR_get_error())) {
+ error(0, "SSL: Access failed: %.256s", ERR_error_string(err, NULL));
+ }
+ error(0, "SSL: disconnected.");
+ SSL_free(conn->ssl);
+ goto error;
+ }
+ } else {
+ conn->ssl = NULL;
+ conn->peer_certificate = NULL;
+ conn->ssl_mutex = NULL;
+ }
#endif /* HAVE_LIBSSL */
return conn;
+
+error:
+ conn_destroy(conn);
+ return NULL;
}
void conn_destroy(Connection *conn)
@@ -989,7 +1038,20 @@
return(conn->peer_certificate);
}
+RSA *tmp_rsa_callback(SSL *ssl, int export, int key_len)
+{
+ static RSA *rsa = NULL;
+ debug("gwlib.http", 0, "SSL: Generating new RSA key (export=%d, keylen=%d)",
+export, key_len);
+ if (export) {
+ rsa = RSA_generate_key(key_len, RSA_F4, NULL, NULL);
+ } else {
+ debug("gwlib.http", 0, "SSL: Export not set");
+ }
+ return rsa;
+}
+
Mutex **ssl_static_locks = NULL;
+Mutex **ssl_server_static_locks = NULL;
void openssl_locking_function(int mode, int n, const char *file, int line)
{
@@ -1014,6 +1076,28 @@
SSL_library_init();
SSL_load_error_strings();
global_ssl_context = SSL_CTX_new(SSLv23_method());
+ debug("gwlib.http", 0, "HTTP: SSL library for client side initialized");
+}
+
+void server_ssl_init(void)
+{
+ int c, maxlocks = CRYPTO_num_locks();
+
+ gw_assert(ssl_server_static_locks == NULL);
+ ssl_server_static_locks = gw_malloc(sizeof(Mutex *) * maxlocks);
+ for (c=0;c<maxlocks;c++)
+ ssl_server_static_locks[c] = mutex_create();
+
+ CRYPTO_set_locking_callback(openssl_locking_function);
+ CRYPTO_set_id_callback(gwthread_self);
+
+ SSLeay_add_ssl_algorithms();
+ SSL_load_error_strings();
+ global_server_ssl_context = SSL_CTX_new(SSLv23_server_method());
+ if (!SSL_CTX_set_default_verify_paths(global_server_ssl_context)) {
+ panic(0, "cannot set default path for server");
+ }
+ debug("gwlib.http", 0, "HTTP: SSL library for server side initialized");
}
void conn_shutdown_ssl(void)
@@ -1027,7 +1111,19 @@
gw_free(ssl_static_locks);
}
-void use_global_certkey_file(Octstr *certkeyfile) {
+void server_shutdown_ssl(void)
+{
+ int c, maxlocks = CRYPTO_num_locks();
+
+ SSL_CTX_free(global_server_ssl_context);
+
+ for (c=0;c<maxlocks;c++)
+ mutex_destroy(ssl_server_static_locks[c]);
+ gw_free(ssl_server_static_locks);
+}
+
+void use_global_client_certkey_file(Octstr *certkeyfile)
+{
SSL_CTX_use_certificate_file(global_ssl_context,
octstr_get_cstr(certkeyfile),
SSL_FILETYPE_PEM);
@@ -1035,10 +1131,29 @@
octstr_get_cstr(certkeyfile),
SSL_FILETYPE_PEM);
if (SSL_CTX_check_private_key(global_ssl_context) != 1)
- panic(0, "reading global certificate file %s, the certificate \
+ panic(0, "reading global client certificate file %s, the certificate \
isn't consistent with the private key (or failed reading the file)",
octstr_get_cstr(certkeyfile));
info(0, "Using global SSL certificate and key from file %s",
octstr_get_cstr(certkeyfile));
+}
+
+void use_global_server_certkey_file(Octstr *certfile, Octstr *keyfile)
+{
+ SSL_CTX_use_certificate_file(global_server_ssl_context,
+ octstr_get_cstr(certfile),
+ SSL_FILETYPE_PEM);
+ SSL_CTX_use_PrivateKey_file(global_server_ssl_context,
+ octstr_get_cstr(keyfile),
+ SSL_FILETYPE_PEM);
+ if (SSL_CTX_check_private_key(global_server_ssl_context) != 1) {
+ error(0, "SSL: %s", ERR_error_string(ERR_get_error(), NULL));
+ panic(0, "reading global server certificate file %s, the certificate \
+ isn't consistent with the private key in file %s \
+ (or failed reading the file)",
+ octstr_get_cstr(certfile), octstr_get_cstr(keyfile));
+ }
+ info(0, "Using global server SSL certificate from file %s",
+octstr_get_cstr(certfile));
+ info(0, "Using global server SSL key from file %s", octstr_get_cstr(keyfile));
}
#endif /* HAVE_LIBSSL */
diff -urN gateway/gwlib/conn.h gateway-2001-10-11-ssl/gwlib/conn.h
--- gateway/gwlib/conn.h Mon Oct 8 19:43:04 2001
+++ gateway-2001-10-11-ssl/gwlib/conn.h Thu Oct 11 21:36:36 2001
@@ -70,8 +70,9 @@
/* Create a Connection structure around the given file descriptor.
* The file descriptor must not be used for anything else after this;
* it must always be accessed via the Connection operations. This
- * operation cannot fail. */
-Connection *conn_wrap_fd(int fd);
+ * operation cannot fail. Second var indicates if the is a SSL enabled
+ * connection. */
+Connection *conn_wrap_fd(int fd, int ssl);
/* Close and deallocate a Connection. Log any errors reported by
* the close operation. */
@@ -195,16 +196,31 @@
*/
X509 *get_peer_certificate(Connection *conn);
+/* Sets OpenSSL locking for callback within conn.c (client SSL) and
+ * http.c (server SSL).
+ */
+void openssl_locking_function(int mode, int n, const char *file, int line);
+
/* These must be called if SSL is used. Currently http.c calls
- * conn_init_ssl from http_init and conn_shutdown_ssl from http_shutdown.
+ * conn_init_ssl and server_init_ssl from http_init and
+ * conn_shutdown_ssl and server_shutdown_ssl from http_shutdown.
*/
void conn_init_ssl(void);
void conn_shutdown_ssl(void);
+void server_init_ssl(void);
+void server_shutdown_ssl(void);
+
+/* Specifies a global PEM-encoded certificate and a private key file
+ * to be used with SSL client connections (outgoing HTTP requests).
+ * conn_init_ssl() must be called first. This checks that the private
+ * key matches with the certificate and will panic if it doesn't.
+ */
+void use_global_client_certkey_file(Octstr *certkeyfile);
/* Specifies a global PEM-encoded certificate and a private key file
- * to be used with SSL connections. conn_init_ssl() must be called
- * first. This checks that the private key matches with the certificate
- * and will panic if it doesn't.
+ * to be used with SSL server connections (incoming HTTP requests).
+ * conn_init_ssl() must be called first. This checks that the private
+ * key matches with the certificate and will panic if it doesn't.
*/
-void use_global_certkey_file(Octstr *certkeyfile);
+void use_global_server_certkey_file(Octstr *certfile, Octstr *keyfile);
#endif /* HAVE_LIBSSL */
diff -urN gateway/gwlib/http.c gateway-2001-10-11-ssl/gwlib/http.c
--- gateway/gwlib/http.c Mon Oct 8 22:10:38 2001
+++ gateway-2001-10-11-ssl/gwlib/http.c Thu Oct 11 21:40:08 2001
@@ -1659,6 +1659,7 @@
struct server {
int fd;
int port;
+ int ssl;
};
@@ -1666,6 +1667,7 @@
{
struct pollfd tab[MAX_SERVERS];
int ports[MAX_SERVERS];
+ int ssl[MAX_SERVERS];
long i, j, n, fd;
int *portno;
struct server *p;
@@ -1685,6 +1687,7 @@
tab[n].fd = p->fd;
tab[n].events = POLLIN;
ports[n] = p->port;
+ ssl[n] = p->ssl;
++n;
gw_free(p);
}
@@ -1705,9 +1708,10 @@
port_remove(ports[i]);
tab[i].fd = -1;
ports[i] = -1;
+ ssl[i] = 0;
} else {
- conn = conn_wrap_fd(fd);
- client = client_create(ports[i], conn, host_ip(addr));
+ conn = conn_wrap_fd(fd, ssl[i]);
+ client = client_create(ports[i], conn, host_ip(addr));
conn_register(conn, server_fdset, receive_request,
client);
}
@@ -1721,6 +1725,7 @@
port_remove(ports[i]);
tab[i].fd = -1;
ports[i] = -1;
+ ssl[i] = 0;
}
}
gw_free(portno);
@@ -1731,6 +1736,7 @@
if (tab[i].fd != -1) {
tab[j] = tab[i];
ports[j] = ports[i];
+ ssl[j] = ssl[i];
++j;
}
}
@@ -1764,13 +1770,15 @@
}
-int http_open_port(int port)
+int http_open_port(int port, int ssl)
{
struct server *p;
- debug("gwlib.http", 0, "HTTP: Opening server at port %d.", port);
+ if (ssl) debug("gwlib.http", 0, "HTTP: Opening SSL server at port %d.", port);
+ else debug("gwlib.http", 0, "HTTP: Opening server at port %d.", port);
p = gw_malloc(sizeof(*p));
p->port = port;
+ p->ssl = ssl;
p->fd = make_server_socket(port, NULL);
/* XXX add interface_name if required */
if (p->fd == -1) {
@@ -2573,6 +2581,9 @@
client_init();
conn_pool_init();
server_init();
+#ifdef HAVE_LIBSSL
+ server_ssl_init();
+#endif /* HAVE_LIBSSL */
port_init();
run_status = running;
@@ -2593,6 +2604,7 @@
proxy_shutdown();
#ifdef HAVE_LIBSSL
conn_shutdown_ssl();
+ server_shutdown_ssl();
#endif /* HAVE_LIBSSL */
run_status = limbo;
}
diff -urN gateway/gwlib/http.h gateway-2001-10-11-ssl/gwlib/http.h
--- gateway/gwlib/http.h Tue May 8 07:27:46 2001
+++ gateway-2001-10-11-ssl/gwlib/http.h Thu Oct 11 21:40:40 2001
@@ -264,8 +264,10 @@
* Open an HTTP server at a given port. Return -1 for errors (invalid
* port number, etc), 0 for OK. This will also start a background thread
* to listen for connections to that port and read the requests from them.
+ * Second variables indicates if the HTTP server should be started for
+ * SSL-enabled connections.
*/
-int http_open_port(int port);
+int http_open_port(int port, int ssl);
/*
diff -urN gateway/test/drive_smpp.c gateway-2001-10-11-ssl/test/drive_smpp.c
--- gateway/test/drive_smpp.c Mon Oct 8 19:43:04 2001
+++ gateway-2001-10-11-ssl/test/drive_smpp.c Thu Oct 11 21:41:28 2001
@@ -383,7 +383,7 @@
if (start_time == (time_t) -1)
time(&start_time);
gwthread_create(receive_smpp_thread,
- esme_create(conn_wrap_fd(new_fd)));
+ esme_create(conn_wrap_fd(new_fd, 0)));
if (smsbox_thread_id == -1)
smsbox_thread_id = gwthread_create(smsbox_thread, NULL);
}
diff -urN gateway/test/drive_wapbox.c gateway-2001-10-11-ssl/test/drive_wapbox.c
--- gateway/test/drive_wapbox.c Mon Oct 8 19:43:04 2001
+++ gateway-2001-10-11-ssl/test/drive_wapbox.c Thu Oct 11 21:42:06 2001
@@ -155,9 +155,10 @@
static int start_http_thread(void) {
unsigned short port;
int *port_copy;
+ int ssl = 0; /* indicate if SSL-enabled server should be used */
for (port = 40000; port < 41000; port += 13) {
- if (http_open_port(port) != -1)
+ if (http_open_port(port, ssl) != -1)
break;
}
if (port == 41000)
@@ -185,7 +186,7 @@
close(wap_socket);
- return conn_wrap_fd(wapbox);
+ return conn_wrap_fd(wapbox, 0);
}
static void initialize_clients(void) {
diff -urN gateway/test/test_http_server.c
gateway-2001-10-11-ssl/test/test_http_server.c
--- gateway/test/test_http_server.c Thu Sep 27 13:27:20 2001
+++ gateway-2001-10-11-ssl/test/test_http_server.c Thu Oct 11 21:43:04 2001
@@ -99,6 +99,7 @@
char *filename;
Octstr *log_filename;
Octstr *file_contents;
+ int ssl = 0; /* indicate if SSL-enabled server should be used */
gwlib_init();
@@ -162,7 +163,7 @@
else
file_contents = octstr_read_file(filename);
- if (http_open_port(port) == -1)
+ if (http_open_port(port, ssl) == -1)
panic(0, "http_open_server failed");
/*
diff -urN gateway/test/test_smsc.c gateway-2001-10-11-ssl/test/test_smsc.c
--- gateway/test/test_smsc.c Mon Oct 8 19:43:04 2001
+++ gateway-2001-10-11-ssl/test/test_smsc.c Thu Oct 11 21:44:00 2001
@@ -408,7 +408,7 @@
(void) close(new_fd);
} else {
thread[num_threads] = gw_malloc(sizeof(*thread[0]));
- thread[num_threads]->conn = conn_wrap_fd(new_fd);
+ thread[num_threads]->conn = conn_wrap_fd(new_fd, 0);
thread[num_threads]->eq = eq;
thread[num_threads]->quit = 0;
thread[num_threads]->writer_id = -1;
@@ -574,8 +574,9 @@
static void httpd_emu_create(EventQueue *eq)
{
struct httpd_emu_arg *arg;
+ int ssl = 0; /* indicate if SSL-enabled server should be used */
- if (http_open_port(http_port) == -1)
+ if (http_open_port(http_port, ssl) == -1)
panic(0, "Can't open HTTP server emulator port %ld.", http_port);
gw_assert(httpd_emu_tid == -1);
