cachedb_redis: add TLS support

rvlad-patrascu · rvlad-patrascu · commit b82b85b6acc8 · 2020-11-26T20:56:02.000+02:00
Closes OpenSIPS#2264
diff --git a/cachedb/cachedb_id.h b/cachedb/cachedb_id.h
@@ -28,6 +28,9 @@
 
 #include "../str.h"
 
+#define CACHEDB_TLS_DOM_PARAM "tls_domain="
+#define CACHEDB_TLS_DOM_PARAM_LEN (sizeof(CACHEDB_TLS_DOM_PARAM)-1)
+
 /** Structure representing a database ID */
 struct cachedb_id {
 	char* scheme;        /**< URL scheme */
diff --git a/modules/cachedb_redis/Makefile b/modules/cachedb_redis/Makefile
@@ -9,8 +9,15 @@ include ../../Makefile.defs
 auto_gen=
 NAME=cachedb_redis.so
 
+HAVE_REDIS_SSL=$(shell if [ -n "`ldconfig -p | grep hiredis_ssl`" ]; \
+	then echo "HAVE_REDIS_SSL"; fi)
+ifeq ($(HAVE_REDIS_SSL), HAVE_REDIS_SSL)
+	LIBS+=-lhiredis_ssl -lssl -lcrypto
+	DEFS+= -DHAVE_REDIS_SSL
+endif
+
 ifeq ($(CROSS_COMPILE),)
-LIBS=-lhiredis
+LIBS+=-lhiredis
 else
 DEFS+=-I$(LOCALBASE)/include
 LIBS=-L$(LOCALBASE)/lib -lhiredis
diff --git a/modules/cachedb_redis/cachedb_redis.c b/modules/cachedb_redis/cachedb_redis.c
@@ -57,9 +57,27 @@ static param_export_t params[]={
 	{ "query_timeout",               INT_PARAM,                &redis_query_tout      },
 	{ "shutdown_on_error",           INT_PARAM,                &shutdown_on_error     },
 	{ "cachedb_url",                 STR_PARAM|USE_FUNC_PARAM, (void *)&set_connection},
+	{ "use_tls",                     INT_PARAM,                &use_tls},
 	{0,0,0}
 };
 
+static module_dependency_t *get_deps_use_tls(param_export_t *param)
+{
+	if (*(int *)param->param_pointer == 0)
+		return NULL;
+
+	return alloc_module_dep(MOD_TYPE_DEFAULT, "tls_mgm", DEP_ABORT);
+}
+
+static dep_export_t deps = {
+	{
+		{ MOD_TYPE_NULL, NULL, 0 },
+	},
+	{
+		{ "use_tls", get_deps_use_tls },
+		{ NULL, NULL },
+	},
+};
 
 /** module exports */
 struct module_exports exports= {
@@ -68,7 +86,7 @@ struct module_exports exports= {
 	MODULE_VERSION,
 	DEFAULT_DLFLAGS,			/* dlopen flags */
 	0,							/* load function */
-	NULL,            /* OpenSIPS module dependencies */
+	&deps,                      /* OpenSIPS module dependencies */
 	0,						/* exported functions */
 	0,						/* exported async functions */
 	params,						/* exported parameters */
@@ -115,6 +133,19 @@ static int mod_init(void)
 		return -1;
 	}
 
+	/* check if we have TLS support, as it is not built by defult in libhiredis */
+#ifndef HAVE_REDIS_SSL
+	if (use_tls) {
+		LM_NOTICE("Unable to use TLS connections as libhiredis was not "
+			"compiled with TLS support!\n");
+		use_tls = 0;
+	}
+#endif
+	if (use_tls && load_tls_mgm_api(&tls_api) != 0) {
+		LM_ERR("failed to load tls_mgm API!\n");
+		return -1;
+	}
+
 	return 0;
 }
 
diff --git a/modules/cachedb_redis/cachedb_redis_dbase.c b/modules/cachedb_redis/cachedb_redis_dbase.c
@@ -28,6 +28,7 @@
 #include "cachedb_redis_utils.h"
 #include "../../mem/mem.h"
 #include "../../ut.h"
+#include "../../pt.h"
 #include "../../cachedb/cachedb.h"
 
 #include <string.h>
@@ -38,6 +39,9 @@
 int redis_query_tout = CACHEDB_REDIS_DEFAULT_TIMEOUT;
 int redis_connnection_tout = CACHEDB_REDIS_DEFAULT_TIMEOUT;
 int shutdown_on_error = 0;
+int use_tls = 0;
+
+struct tls_mgm_binds tls_api;
 
 redisContext *redis_get_ctx(char *ip, int port)
 {
@@ -71,6 +75,64 @@ redisContext *redis_get_ctx(char *ip, int port)
 	return ctx;
 }
 
+#ifdef HAVE_REDIS_SSL
+static void tls_print_errstack(void)
+{
+	int code;
+
+	while ((code = ERR_get_error())) {
+		LM_ERR("TLS errstack: %s\n", ERR_error_string(code, 0));
+	}
+}
+
+static int redis_init_ssl(char *url_extra_opts, redisContext *ctx,
+	struct tls_domain **tls_dom)
+{
+	str tls_dom_name;
+	SSL *ssl;
+
+	if (*tls_dom == NULL) {
+		if (strncmp(url_extra_opts, CACHEDB_TLS_DOM_PARAM,
+				CACHEDB_TLS_DOM_PARAM_LEN)) {
+			LM_ERR("Invalid Redis URL parameter: %s\n", url_extra_opts);
+			return -1;
+		}
+
+		tls_dom_name.s = url_extra_opts + CACHEDB_TLS_DOM_PARAM_LEN;
+		tls_dom_name.len = strlen(tls_dom_name.s);
+		if (!tls_dom_name.len) {
+			LM_ERR("Empty TLS domain name in Redis URL\n");
+			return -1;
+		}
+
+		*tls_dom = tls_api.find_client_domain_name(&tls_dom_name);
+		if (*tls_dom == NULL) {
+			LM_ERR("TLS domain: %.*s not found\n",
+				tls_dom_name.len, tls_dom_name.s);
+			return -1;
+		}
+	}
+
+	ssl = SSL_new((*tls_dom)->ctx[process_no]);
+	if (!ssl) {
+		LM_ERR("failed to create SSL structure (%d:%s)\n", errno, strerror(errno));
+		tls_print_errstack();
+		tls_api.release_domain(*tls_dom);
+		return -1;
+	}
+
+	if (redisInitiateSSL(ctx, ssl) != REDIS_OK) {
+		printf("Failed to init Redis SSL: %s\n", ctx->errstr);
+		tls_api.release_domain(*tls_dom);
+		return -1;
+	}
+
+	LM_DBG("TLS enabled for this connection\n");
+
+	return 0;
+}
+#endif
+
 int redis_connect_node(redis_con *con,cluster_node *node)
 {
 	redisReply *rpl;
@@ -79,14 +141,22 @@ int redis_connect_node(redis_con *con,cluster_node *node)
 	if (!node->context)
 		return -1;
 
+#ifdef HAVE_REDIS_SSL
+	if (use_tls && con->id->extra_options &&
+		redis_init_ssl(con->id->extra_options, node->context,
+			&node->tls_dom) < 0) {
+		redisFree(node->context);
+		return -1;
+	}
+#endif
+
 	if (con->id->password) {
 		rpl = redisCommand(node->context,"AUTH %s",con->id->password);
 		if (rpl == NULL || rpl->type == REDIS_REPLY_ERROR) {
 			LM_ERR("failed to auth to redis - %.*s\n",
 				rpl?(unsigned)rpl->len:7,rpl?rpl->str:"FAILURE");
 			freeReplyObject(rpl);
-			redisFree(node->context);
-			return -1;
+			goto error;
 		}
 		LM_DBG("AUTH [password] -  %.*s\n",(unsigned)rpl->len,rpl->str);
 		freeReplyObject(rpl);
@@ -98,15 +168,22 @@ int redis_connect_node(redis_con *con,cluster_node *node)
 			LM_ERR("failed to select database %s - %.*s\n",con->id->database,
 				rpl?(unsigned)rpl->len:7,rpl?rpl->str:"FAILURE");
 			freeReplyObject(rpl);
-			redisFree(node->context);
-			return -1;
+			goto error;
 		}
 
 		LM_DBG("SELECT [%s] - %.*s\n",con->id->database,(unsigned)rpl->len,rpl->str);
 		freeReplyObject(rpl);
 	}
 
 	return 0;
+
+error:
+	redisFree(node->context);
+	if (use_tls && node->tls_dom) {
+		tls_api.release_domain(node->tls_dom);
+		node->tls_dom = NULL;
+	}
+	return -1;
 }
 
 int redis_reconnect_node(redis_con *con,cluster_node *node)
@@ -120,19 +197,27 @@ int redis_reconnect_node(redis_con *con,cluster_node *node)
 	return redis_connect_node(con,node);
 }
 
-
 int redis_connect(redis_con *con)
 {
 	redisContext *ctx;
 	redisReply *rpl;
 	cluster_node *it;
 	int len;
+	struct tls_domain *tls_dom = NULL;
 
 	/* connect to redis DB */
 	ctx = redis_get_ctx(con->id->host,con->id->port);
 	if (!ctx)
 		return -1;
 
+#ifdef HAVE_REDIS_SSL
+	if (use_tls && con->id->extra_options &&
+		redis_init_ssl(con->id->extra_options, ctx, &tls_dom) < 0) {
+		redisFree(ctx);
+		return -1;
+	}
+#endif
+
 	/* auth using password, if any */
 	if (con->id->password) {
 		rpl = redisCommand(ctx,"AUTH %s",con->id->password);
@@ -141,8 +226,7 @@ int redis_connect(redis_con *con)
 				rpl?(unsigned)rpl->len:7,rpl?rpl->str:"FAILURE");
 			if (rpl!=NULL)
 				freeReplyObject(rpl);
-			redisFree(ctx);
-			return -1;
+			goto error;
 		}
 		LM_DBG("AUTH [password] -  %.*s\n",(unsigned)rpl->len,rpl->str);
 		freeReplyObject(rpl);
@@ -158,8 +242,7 @@ int redis_connect(redis_con *con)
 			LM_ERR("no more pkg\n");
 			if (rpl!=NULL)
 				freeReplyObject(rpl);
-			redisFree(ctx);
-			return -1;
+			goto error;
 		}
 		con->nodes->ip = (char *)(con->nodes + 1);
 
@@ -178,15 +261,17 @@ int redis_connect(redis_con *con)
 		if (build_cluster_nodes(con,rpl->str,rpl->len) < 0) {
 			LM_ERR("failed to parse Redis cluster info\n");
 			freeReplyObject(rpl);
-			redisFree(ctx);
-			return -1;
+			goto error;
 		}
 	}
 
 	if (rpl!=NULL)
 		freeReplyObject(rpl);
 	redisFree(ctx);
 
+	if (use_tls && tls_dom)
+		tls_api.release_domain(tls_dom);
+
 	con->flags |= REDIS_INIT_NODES;
 
 	for (it=con->nodes;it;it=it->next) {
@@ -201,6 +286,12 @@ int redis_connect(redis_con *con)
 	}
 
 	return 0;
+
+error:
+	redisFree(ctx);
+	if (use_tls && tls_dom)
+		tls_api.release_domain(tls_dom);
+	return -1;
 }
 
 redis_con* redis_new_connection(struct cachedb_id* id)
diff --git a/modules/cachedb_redis/cachedb_redis_dbase.h b/modules/cachedb_redis/cachedb_redis_dbase.h
@@ -28,6 +28,13 @@
 
 #include <hiredis/hiredis.h>
 #include "../../cachedb/cachedb.h"
+#include "../tls_mgm/api.h"
+
+#ifdef HAVE_REDIS_SSL
+#include <hiredis/hiredis_ssl.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#endif
 
 typedef struct cluster_nodes {
 	char *ip;							/* ip of this cluster node */
@@ -36,6 +43,8 @@ typedef struct cluster_nodes {
 	unsigned short end_slot;		/* last slot for this server */
 
 	redisContext *context;			/* actual connection to this node */
+	struct tls_domain *tls_dom;
+
 	struct cluster_nodes *next;
 } cluster_node;
 
@@ -45,6 +54,9 @@ typedef struct cluster_nodes {
 extern int redis_query_tout;
 extern int redis_connnection_tout;
 extern int shutdown_on_error;
+extern int use_tls;
+
+extern struct tls_mgm_binds tls_api;
 
 enum redis_flag {
 	REDIS_SINGLE_INSTANCE  = 1 << 0,
diff --git a/modules/cachedb_redis/cachedb_redis_utils.c b/modules/cachedb_redis/cachedb_redis_utils.c
@@ -110,6 +110,8 @@ void destroy_cluster_nodes(redis_con *con)
 	while (new) {
 		foo = new->next;
 		redisFree(new->context);
+		if (use_tls && new->tls_dom)
+			tls_api.release_domain(new->tls_dom);
 		pkg_free(new);
 		new = foo;
 	}
diff --git a/modules/cachedb_redis/doc/cachedb_redis_admin.xml b/modules/cachedb_redis/doc/cachedb_redis_admin.xml

Original file line number	Diff line number	Diff line change
`@@ -110,6 +110,8 @@ void destroy_cluster_nodes(redis_con *con)`
`110`	`110`	`while (new) {`
`111`	`111`	`foo = new->next;`
`112`	`112`	`redisFree(new->context);`
	`113`	`+ if (use_tls && new->tls_dom)`
	`114`	`+ tls_api.release_domain(new->tls_dom);`
`113`	`115`	`pkg_free(new);`
`114`	`116`	`new = foo;`
`115`	`117`	`}`