aboutsummaryrefslogtreecommitdiffstats
path: root/src/osmo_server_vty.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/osmo_server_vty.c')
-rw-r--r--src/osmo_server_vty.c303
1 files changed, 293 insertions, 10 deletions
diff --git a/src/osmo_server_vty.c b/src/osmo_server_vty.c
index d13ea6f..b2919ae 100644
--- a/src/osmo_server_vty.c
+++ b/src/osmo_server_vty.c
@@ -41,6 +41,45 @@ static struct cmd_node server_node = {
1,
};
+static void write_tls(struct vty *vty, struct osmo_pcap_server *pcap_server)
+{
+ if (!pcap_server->tls_on)
+ return;
+
+ vty_out(vty, " enable tls%s", VTY_NEWLINE);
+ vty_out(vty, " tls log-level %d%s",
+ pcap_server->tls_log_level, VTY_NEWLINE);
+
+ if (pcap_server->tls_allow_anon)
+ vty_out(vty, " tls allow-auth anonymous%s", VTY_NEWLINE);
+
+ if (pcap_server->tls_allow_x509)
+ vty_out(vty, " tls allow-auth x509%s", VTY_NEWLINE);
+
+ if (pcap_server->tls_priority)
+ vty_out(vty, " tls priority %s%s",
+ pcap_server->tls_priority, VTY_NEWLINE);
+ if (pcap_server->tls_capath)
+ vty_out(vty, " tls capath %s%s", pcap_server->tls_capath, VTY_NEWLINE);
+
+ if (pcap_server->tls_crlfile)
+ vty_out(vty, " tls crlfile %s%s", pcap_server->tls_crlfile, VTY_NEWLINE);
+
+ if (pcap_server->tls_server_cert)
+ vty_out(vty, " tls server-cert %s%s",
+ pcap_server->tls_server_cert, VTY_NEWLINE);
+
+ if (pcap_server->tls_server_key)
+ vty_out(vty, " tls server-key %s%s",
+ pcap_server->tls_server_key, VTY_NEWLINE);
+
+ if (pcap_server->tls_dh_pkcs3)
+ vty_out(vty, " tls dh pkcs3 %s%s",
+ pcap_server->tls_dh_pkcs3, VTY_NEWLINE);
+ else
+ vty_out(vty, " tls dh generate%s", VTY_NEWLINE);
+}
+
static int config_write_server(struct vty *vty)
{
struct osmo_pcap_conn *conn;
@@ -59,10 +98,13 @@ static int config_write_server(struct vty *vty)
vty_out(vty, " zeromq-publisher %s %d%s",
pcap_server->zmq_ip, pcap_server->zmq_port, VTY_NEWLINE);
+ write_tls(vty, pcap_server);
+
llist_for_each_entry(conn, &pcap_server->conn, entry) {
- vty_out(vty, " client %s %s%s%s",
+ vty_out(vty, " client %s %s%s%s%s",
conn->name, conn->remote_host,
- conn->no_store ? " no-store" : "",
+ conn->no_store ? " no-store" : " store",
+ conn->tls_use ? " tls" : "",
VTY_NEWLINE);
}
@@ -116,32 +158,62 @@ DEFUN(cfg_server_max_size,
return CMD_SUCCESS;
}
-DEFUN(cfg_server_client,
- cfg_server_client_cmd,
- "client NAME A.B.C.D [no-store]",
- CLIENT_STR "Remote name used in filenames\n" "IP of the remote\n" "Do not store traffic\n")
+static int manage_client(struct osmo_pcap_server *pcap_server,
+ struct vty *vty,
+ const char *name, const char *remote_host,
+ bool no_store, bool use_tls)
{
struct osmo_pcap_conn *conn;
- conn = osmo_pcap_server_find(pcap_server, argv[0]);
+ conn = osmo_pcap_server_find(pcap_server, name);
if (!conn) {
vty_out(vty, "Failed to create a pcap server.\n");
return CMD_WARNING;
}
talloc_free(conn->remote_host);
- conn->remote_host = talloc_strdup(pcap_server, argv[1]);
- inet_aton(argv[1], &conn->remote_addr);
+ conn->remote_host = talloc_strdup(pcap_server, remote_host);
+ inet_aton(remote_host, &conn->remote_addr);
/* Checking no-store and maybe closing a pcap file */
- if (argc >= 3) {
+ if (no_store) {
osmo_pcap_server_close_trace(conn);
conn->no_store = 1;
} else
conn->no_store = 0;
+ if (use_tls) {
+ /* force moving to TLS */
+ if (!conn->tls_use)
+ osmo_pcap_server_close_conn(conn);
+ conn->tls_use = true;
+ } else {
+ conn->tls_use = false;
+ }
+
return CMD_SUCCESS;
}
+
+DEFUN(cfg_server_client,
+ cfg_server_client_cmd,
+ "client NAME A.B.C.D [no-store] [tls]",
+ CLIENT_STR "Remote name used in filenames\n"
+ "IP of the remote\n" "Do not store traffic\n"
+ "Use Transport Level Security\n")
+{
+ return manage_client(pcap_server, vty, argv[0], argv[1], argc >= 3, argc >= 4);
+}
+
+DEFUN(cfg_server_client_store_tls,
+ cfg_server_client_store_tls_cmd,
+ "client NAME A.B.C.D store [tls]",
+ CLIENT_STR "Remote name used in filenames\n"
+ "IP of the remote\n" "Do not store traffic\n"
+ "Use Transport Level Security\n")
+{
+ return manage_client(pcap_server, vty, argv[0], argv[1], false, argc >= 3);
+}
+
DEFUN(cfg_server_no_client,
cfg_server_no_client_cmd,
"no client NAME",
@@ -241,6 +313,195 @@ DEFUN(cfg_no_server_zmq_ip_port,
return CMD_SUCCESS;
}
+#define TLS_STR "Transport Layer Security\n"
+
+DEFUN(cfg_enable_tls,
+ cfg_enable_tls_cmd,
+ "enable tls",
+ "Enable\n" "Transport Layer Security\n")
+{
+ pcap_server->tls_on = true;
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_disable_tls,
+ cfg_disable_tls_cmd,
+ "disable tls",
+ "Disable\n" "Transport Layer Security\n")
+{
+ pcap_server->tls_on = false;
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_tls_log_level,
+ cfg_tls_log_level_cmd,
+ "tls log-level <0-255>",
+ TLS_STR "Log-level\n" "GNUtls debug level\n")
+{
+ pcap_server->tls_log_level = atoi(argv[0]);
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_tls_allow_anon,
+ cfg_tls_allow_anon_cmd,
+ "tls allow-auth anonymous",
+ TLS_STR "allow authentication\n" "for anonymous\n")
+{
+ pcap_server->tls_allow_anon = true;
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_no_tls_allow_anon,
+ cfg_no_tls_allow_anon_cmd,
+ "no tls allow-auth anonymous",
+ NO_STR TLS_STR "allow authentication\n" "for anonymous\n")
+{
+ pcap_server->tls_allow_anon = false;
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_tls_allow_x509,
+ cfg_tls_allow_x509_cmd,
+ "tls allow-auth x509",
+ TLS_STR "allow authentication\n" "for certificates\n")
+{
+ pcap_server->tls_allow_x509 = true;
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_no_tls_allow_x509,
+ cfg_no_tls_allow_x509_cmd,
+ "no tls allow-auth x509",
+ NO_STR TLS_STR "allow authentication\n" "for certificates\n")
+{
+ pcap_server->tls_allow_x509 = false;
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_tls_priority,
+ cfg_tls_priority_cmd,
+ "tls priority STR",
+ TLS_STR "Priority string for GNUtls\n" "Priority string\n")
+{
+ talloc_free(pcap_server->tls_priority);
+ pcap_server->tls_priority = talloc_strdup(pcap_server, argv[0]);
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_no_tls_priority,
+ cfg_no_tls_priority_cmd,
+ "no tls priority",
+ NO_STR TLS_STR "Priority string for GNUtls\n")
+{
+ talloc_free(pcap_server->tls_priority);
+ pcap_server->tls_priority = NULL;
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_tls_capath,
+ cfg_tls_capath_cmd,
+ "tls capath .PATH",
+ TLS_STR "Trusted root certificates\n" "Filename\n")
+{
+ talloc_free(pcap_server->tls_capath);
+ pcap_server->tls_capath = talloc_strdup(pcap_server, argv[0]);
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_no_tls_capath,
+ cfg_no_tls_capath_cmd,
+ "no tls capath",
+ NO_STR TLS_STR "Trusted root certificates\n")
+{
+ talloc_free(pcap_server->tls_capath);
+ pcap_server->tls_capath = NULL;
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_tls_crlfile,
+ cfg_tls_crlfile_cmd,
+ "tls crlfile .PATH",
+ TLS_STR "CRL file\n" "Filename\n")
+{
+ talloc_free(pcap_server->tls_crlfile);
+ pcap_server->tls_crlfile = talloc_strdup(pcap_server, argv[0]);
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_no_tls_crlfile,
+ cfg_no_tls_crlfile_cmd,
+ "no tls crlfile",
+ NO_STR TLS_STR "CRL file\n")
+{
+ talloc_free(pcap_server->tls_crlfile);
+ pcap_server->tls_crlfile = NULL;
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_tls_server_cert,
+ cfg_tls_server_cert_cmd,
+ "tls server-cert .PATH",
+ TLS_STR "Server certificate\n" "Filename\n")
+{
+ talloc_free(pcap_server->tls_server_cert);
+ pcap_server->tls_server_cert = talloc_strdup(pcap_server, argv[0]);
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_no_tls_server_cert,
+ cfg_no_tls_server_cert_cmd,
+ "no tls server-cert",
+ NO_STR TLS_STR "Server certificate\n")
+{
+ talloc_free(pcap_server->tls_server_cert);
+ pcap_server->tls_server_cert = NULL;
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_tls_server_key,
+ cfg_tls_server_key_cmd,
+ "tls server-key .PATH",
+ TLS_STR "Server private key\n" "Filename\n")
+{
+ talloc_free(pcap_server->tls_server_key);
+ pcap_server->tls_server_key = talloc_strdup(pcap_server, argv[0]);
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_no_tls_server_key,
+ cfg_no_tls_server_key_cmd,
+ "no tls server-key",
+ NO_STR TLS_STR "Server private key\n")
+{
+ talloc_free(pcap_server->tls_server_key);
+ pcap_server->tls_server_key = NULL;
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_tls_dh_pkcs3,
+ cfg_tls_dh_pkcs3_cmd,
+ "tls dh pkcs .FILE",
+ TLS_STR "Diffie-Hellman Key Exchange\n" "PKCS3\n" "Filename\n")
+{
+ talloc_free(pcap_server->tls_dh_pkcs3);
+ pcap_server->tls_dh_pkcs3 = talloc_strdup(pcap_server, argv[0]);
+
+ osmo_tls_dh_load(pcap_server);
+ return CMD_SUCCESS;
+}
+
+DEFUN(cfg_tls_dh_generate,
+ cfg_tls_dh_generate_cmd,
+ "tls dh generate",
+ TLS_STR "Diffie-Hellman Key Exchange\n" "Generate prime\n")
+{
+ talloc_free(pcap_server->tls_dh_pkcs3);
+ pcap_server->tls_dh_pkcs3 = NULL;
+
+ osmo_tls_dh_generate(pcap_server);
+ return CMD_SUCCESS;
+}
+
void vty_server_init(struct osmo_pcap_server *server)
{
install_element(CONFIG_NODE, &cfg_server_cmd);
@@ -254,6 +515,28 @@ void vty_server_init(struct osmo_pcap_server *server)
install_element(SERVER_NODE, &cfg_server_zmq_ip_port_cmd);
install_element(SERVER_NODE, &cfg_no_server_zmq_ip_port_cmd);
+ /* tls for the server */
+ install_element(SERVER_NODE, &cfg_enable_tls_cmd);
+ install_element(SERVER_NODE, &cfg_disable_tls_cmd);
+ install_element(SERVER_NODE, &cfg_tls_log_level_cmd);
+ install_element(SERVER_NODE, &cfg_tls_allow_anon_cmd);
+ install_element(SERVER_NODE, &cfg_no_tls_allow_anon_cmd);
+ install_element(SERVER_NODE, &cfg_tls_allow_x509_cmd);
+ install_element(SERVER_NODE, &cfg_no_tls_allow_x509_cmd);
+ install_element(SERVER_NODE, &cfg_tls_priority_cmd);
+ install_element(SERVER_NODE, &cfg_no_tls_priority_cmd);
+ install_element(SERVER_NODE, &cfg_tls_capath_cmd);
+ install_element(SERVER_NODE, &cfg_no_tls_capath_cmd);
+ install_element(SERVER_NODE, &cfg_tls_crlfile_cmd);
+ install_element(SERVER_NODE, &cfg_no_tls_crlfile_cmd);
+ install_element(SERVER_NODE, &cfg_tls_server_cert_cmd);
+ install_element(SERVER_NODE, &cfg_no_tls_server_cert_cmd);
+ install_element(SERVER_NODE, &cfg_tls_server_key_cmd);
+ install_element(SERVER_NODE, &cfg_no_tls_server_key_cmd);
+ install_element(SERVER_NODE, &cfg_tls_dh_generate_cmd);
+ install_element(SERVER_NODE, &cfg_tls_dh_pkcs3_cmd);
+
install_element(SERVER_NODE, &cfg_server_client_cmd);
+ install_element(SERVER_NODE, &cfg_server_client_store_tls_cmd);
install_element(SERVER_NODE, &cfg_server_no_client_cmd);
}