server: Add vty interface for the TLS configuration
Make the priority configurable, load DH params, allow to specify
certificates or anonymous operations.
Change-Id: I8ec3c0f8e1ee2089e1b7dacd9de842260930032f
diff --git a/src/osmo_server_vty.c b/src/osmo_server_vty.c
index 14cdb89..b2919ae 100644
--- a/src/osmo_server_vty.c
+++ b/src/osmo_server_vty.c
@@ -41,6 +41,45 @@
1,
};
+static void write_tls(struct vty *vty, struct osmo_pcap_server *pcap_server)
+{
+ if (!pcap_server->tls_on)
+ return;
+
+ vty_out(vty, " enable tls%s", VTY_NEWLINE);
+ vty_out(vty, " tls log-level %d%s",
+ pcap_server->tls_log_level, VTY_NEWLINE);
+
+ if (pcap_server->tls_allow_anon)
+ vty_out(vty, " tls allow-auth anonymous%s", VTY_NEWLINE);
+
+ if (pcap_server->tls_allow_x509)
+ vty_out(vty, " tls allow-auth x509%s", VTY_NEWLINE);
+
+ if (pcap_server->tls_priority)
+ vty_out(vty, " tls priority %s%s",
+ pcap_server->tls_priority, VTY_NEWLINE);
+ if (pcap_server->tls_capath)
+ vty_out(vty, " tls capath %s%s", pcap_server->tls_capath, VTY_NEWLINE);
+
+ if (pcap_server->tls_crlfile)
+ vty_out(vty, " tls crlfile %s%s", pcap_server->tls_crlfile, VTY_NEWLINE);
+
+ if (pcap_server->tls_server_cert)
+ vty_out(vty, " tls server-cert %s%s",
+ pcap_server->tls_server_cert, VTY_NEWLINE);
+
+ if (pcap_server->tls_server_key)
+ vty_out(vty, " tls server-key %s%s",
+ pcap_server->tls_server_key, VTY_NEWLINE);
+
+ if (pcap_server->tls_dh_pkcs3)
+ vty_out(vty, " tls dh pkcs3 %s%s",
+ pcap_server->tls_dh_pkcs3, VTY_NEWLINE);
+ else
+ vty_out(vty, " tls dh generate%s", VTY_NEWLINE);
+}
+
static int config_write_server(struct vty *vty)
{
struct osmo_pcap_conn *conn;
@@ -59,6 +98,8 @@
vty_out(vty, " zeromq-publisher %s %d%s",
pcap_server->zmq_ip, pcap_server->zmq_port, VTY_NEWLINE);
+ write_tls(vty, pcap_server);
+
llist_for_each_entry(conn, &pcap_server->conn, entry) {
vty_out(vty, " client %s %s%s%s%s",
conn->name, conn->remote_host,
@@ -272,6 +313,195 @@
return CMD_SUCCESS;
}
+#define TLS_STR "Transport Layer Security\n"
+
+DEFUN(cfg_enable_tls,
+ cfg_enable_tls_cmd,
+ "enable tls",
+ "Enable\n" "Transport Layer Security\n")
+{
+ pcap_server->tls_on = true;
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_disable_tls,
+ cfg_disable_tls_cmd,
+ "disable tls",
+ "Disable\n" "Transport Layer Security\n")
+{
+ pcap_server->tls_on = false;
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_tls_log_level,
+ cfg_tls_log_level_cmd,
+ "tls log-level <0-255>",
+ TLS_STR "Log-level\n" "GNUtls debug level\n")
+{
+ pcap_server->tls_log_level = atoi(argv[0]);
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_tls_allow_anon,
+ cfg_tls_allow_anon_cmd,
+ "tls allow-auth anonymous",
+ TLS_STR "allow authentication\n" "for anonymous\n")
+{
+ pcap_server->tls_allow_anon = true;
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_no_tls_allow_anon,
+ cfg_no_tls_allow_anon_cmd,
+ "no tls allow-auth anonymous",
+ NO_STR TLS_STR "allow authentication\n" "for anonymous\n")
+{
+ pcap_server->tls_allow_anon = false;
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_tls_allow_x509,
+ cfg_tls_allow_x509_cmd,
+ "tls allow-auth x509",
+ TLS_STR "allow authentication\n" "for certificates\n")
+{
+ pcap_server->tls_allow_x509 = true;
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_no_tls_allow_x509,
+ cfg_no_tls_allow_x509_cmd,
+ "no tls allow-auth x509",
+ NO_STR TLS_STR "allow authentication\n" "for certificates\n")
+{
+ pcap_server->tls_allow_x509 = false;
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_tls_priority,
+ cfg_tls_priority_cmd,
+ "tls priority STR",
+ TLS_STR "Priority string for GNUtls\n" "Priority string\n")
+{
+ talloc_free(pcap_server->tls_priority);
+ pcap_server->tls_priority = talloc_strdup(pcap_server, argv[0]);
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_no_tls_priority,
+ cfg_no_tls_priority_cmd,
+ "no tls priority",
+ NO_STR TLS_STR "Priority string for GNUtls\n")
+{
+ talloc_free(pcap_server->tls_priority);
+ pcap_server->tls_priority = NULL;
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_tls_capath,
+ cfg_tls_capath_cmd,
+ "tls capath .PATH",
+ TLS_STR "Trusted root certificates\n" "Filename\n")
+{
+ talloc_free(pcap_server->tls_capath);
+ pcap_server->tls_capath = talloc_strdup(pcap_server, argv[0]);
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_no_tls_capath,
+ cfg_no_tls_capath_cmd,
+ "no tls capath",
+ NO_STR TLS_STR "Trusted root certificates\n")
+{
+ talloc_free(pcap_server->tls_capath);
+ pcap_server->tls_capath = NULL;
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_tls_crlfile,
+ cfg_tls_crlfile_cmd,
+ "tls crlfile .PATH",
+ TLS_STR "CRL file\n" "Filename\n")
+{
+ talloc_free(pcap_server->tls_crlfile);
+ pcap_server->tls_crlfile = talloc_strdup(pcap_server, argv[0]);
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_no_tls_crlfile,
+ cfg_no_tls_crlfile_cmd,
+ "no tls crlfile",
+ NO_STR TLS_STR "CRL file\n")
+{
+ talloc_free(pcap_server->tls_crlfile);
+ pcap_server->tls_crlfile = NULL;
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_tls_server_cert,
+ cfg_tls_server_cert_cmd,
+ "tls server-cert .PATH",
+ TLS_STR "Server certificate\n" "Filename\n")
+{
+ talloc_free(pcap_server->tls_server_cert);
+ pcap_server->tls_server_cert = talloc_strdup(pcap_server, argv[0]);
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_no_tls_server_cert,
+ cfg_no_tls_server_cert_cmd,
+ "no tls server-cert",
+ NO_STR TLS_STR "Server certificate\n")
+{
+ talloc_free(pcap_server->tls_server_cert);
+ pcap_server->tls_server_cert = NULL;
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_tls_server_key,
+ cfg_tls_server_key_cmd,
+ "tls server-key .PATH",
+ TLS_STR "Server private key\n" "Filename\n")
+{
+ talloc_free(pcap_server->tls_server_key);
+ pcap_server->tls_server_key = talloc_strdup(pcap_server, argv[0]);
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_no_tls_server_key,
+ cfg_no_tls_server_key_cmd,
+ "no tls server-key",
+ NO_STR TLS_STR "Server private key\n")
+{
+ talloc_free(pcap_server->tls_server_key);
+ pcap_server->tls_server_key = NULL;
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_tls_dh_pkcs3,
+ cfg_tls_dh_pkcs3_cmd,
+ "tls dh pkcs .FILE",
+ TLS_STR "Diffie-Hellman Key Exchange\n" "PKCS3\n" "Filename\n")
+{
+ talloc_free(pcap_server->tls_dh_pkcs3);
+ pcap_server->tls_dh_pkcs3 = talloc_strdup(pcap_server, argv[0]);
+
+ osmo_tls_dh_load(pcap_server);
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_tls_dh_generate,
+ cfg_tls_dh_generate_cmd,
+ "tls dh generate",
+ TLS_STR "Diffie-Hellman Key Exchange\n" "Generate prime\n")
+{
+ talloc_free(pcap_server->tls_dh_pkcs3);
+ pcap_server->tls_dh_pkcs3 = NULL;
+
+ osmo_tls_dh_generate(pcap_server);
+ return CMD_SUCCESS;
+}
+
void vty_server_init(struct osmo_pcap_server *server)
{
install_element(CONFIG_NODE, &cfg_server_cmd);
@@ -285,6 +515,27 @@
install_element(SERVER_NODE, &cfg_server_zmq_ip_port_cmd);
install_element(SERVER_NODE, &cfg_no_server_zmq_ip_port_cmd);
+ /* tls for the server */
+ install_element(SERVER_NODE, &cfg_enable_tls_cmd);
+ install_element(SERVER_NODE, &cfg_disable_tls_cmd);
+ install_element(SERVER_NODE, &cfg_tls_log_level_cmd);
+ install_element(SERVER_NODE, &cfg_tls_allow_anon_cmd);
+ install_element(SERVER_NODE, &cfg_no_tls_allow_anon_cmd);
+ install_element(SERVER_NODE, &cfg_tls_allow_x509_cmd);
+ install_element(SERVER_NODE, &cfg_no_tls_allow_x509_cmd);
+ install_element(SERVER_NODE, &cfg_tls_priority_cmd);
+ install_element(SERVER_NODE, &cfg_no_tls_priority_cmd);
+ install_element(SERVER_NODE, &cfg_tls_capath_cmd);
+ install_element(SERVER_NODE, &cfg_no_tls_capath_cmd);
+ install_element(SERVER_NODE, &cfg_tls_crlfile_cmd);
+ install_element(SERVER_NODE, &cfg_no_tls_crlfile_cmd);
+ install_element(SERVER_NODE, &cfg_tls_server_cert_cmd);
+ install_element(SERVER_NODE, &cfg_no_tls_server_cert_cmd);
+ install_element(SERVER_NODE, &cfg_tls_server_key_cmd);
+ install_element(SERVER_NODE, &cfg_no_tls_server_key_cmd);
+ install_element(SERVER_NODE, &cfg_tls_dh_generate_cmd);
+ install_element(SERVER_NODE, &cfg_tls_dh_pkcs3_cmd);
+
install_element(SERVER_NODE, &cfg_server_client_cmd);
install_element(SERVER_NODE, &cfg_server_client_store_tls_cmd);
install_element(SERVER_NODE, &cfg_server_no_client_cmd);