Review fixes

tempesta_fw/sock_clnt.c

@@ -20,15 +20,16 @@
  * this program; if not, write to the Free Software Foundation, Inc., 59
  * Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  */
+#include "tempesta_fw.h"
 #include "cfg.h"
 #include "classifier.h"
 #include "client.h"
 #include "connection.h"
 #include "log.h"
-#include "sync_socket.h"
-#include "tempesta_fw.h"
-#include "server.h"
 #include "procfs.h"
+#include "server.h"
+#include "sync_socket.h"
+#include "tls.h"
 
 /*
  * ------------------------------------------------------------------------
@@ -482,12 +483,16 @@ tfw_cfgop_listen(TfwCfgSpec *cs, TfwCfgEntry *ce)
 	if (!in_str)
 		goto parse_err;
 
-	if (!strcasecmp(in_str, "http"))
+	if (!strcasecmp(in_str, "http")) {
 		return tfw_listen_sock_add(&addr, TFW_FSM_HTTP);
-	else if (!strcasecmp(in_str, "https"))
+	}
+	else if (!strcasecmp(in_str, "https")) {
+		tfw_tls_cfg_require();
 		return tfw_listen_sock_add(&addr, TFW_FSM_HTTPS);
-	else
+	}
+	else {
 		goto parse_err;
+	}
 
 parse_err:
 	TFW_ERR_NL("Unable to parse 'listen' value: '%s'\n",

tempesta_fw/tls.c

@@ -402,17 +402,27 @@ tfw_tls_do_cleanup(void)
  * ------------------------------------------------------------------------
  */
 
+/* TLS configuration state. */
+#define TFW_TLS_CFG_F_DISABLED	0U
+#define TFW_TLS_CFG_F_REQUIRED	1U
+#define TFW_TLS_CFG_F_CERT	2U
+#define TFW_TLS_CFG_F_CKEY	4U
+#define TFW_TLS_CFG_M_ALL	(TFW_TLS_CFG_F_CERT | TFW_TLS_CFG_F_CKEY)
+
+static unsigned int tfw_tls_cgf = TFW_TLS_CFG_F_DISABLED;
+
+void
+tfw_tls_cfg_require(void)
+{
+	tfw_tls_cgf |= TFW_TLS_CFG_F_REQUIRED;
+}
+
 static int
 tfw_tls_start(void)
 {
-	int r = tfw_runstate_is_reconfig();
+	int r;
 
-	if (!tfw_tls.crt.version) {
-		TFW_ERR("TLS: please spcify a certificate with"
-			" tls_certificate configuration option\n");
-		return -EINVAL;
-	}
-	if (r)
+	if (tfw_runstate_is_reconfig())
 		return 0;
 
 	mbedtls_ssl_conf_ca_chain(&tfw_tls.cfg, tfw_tls.crt.next, NULL);
@@ -465,6 +475,7 @@ tfw_cfgop_ssl_certificate(TfwCfgSpec *cs, TfwCfgEntry *ce)
 			   cs->name, -r);
 		return -EINVAL;
 	}
+	tfw_tls_cgf |= TFW_TLS_CFG_F_CERT;
 
 	return 0;
 }
@@ -473,6 +484,7 @@ static void
 tfw_cfgop_cleanup_ssl_certificate(TfwCfgSpec *cs)
 {
 	mbedtls_x509_crt_free(&tfw_tls.crt);
+	tfw_tls_cgf &= ~TFW_TLS_CFG_F_CERT;
 }
 
 /**
@@ -515,6 +527,7 @@ tfw_cfgop_ssl_certificate_key(TfwCfgSpec *cs, TfwCfgEntry *ce)
 			   cs->name, -r);
 		return -EINVAL;
 	}
+	tfw_tls_cgf |= TFW_TLS_CFG_F_CKEY;
 
 	return 0;
 }
@@ -523,14 +536,26 @@ static void
 tfw_cfgop_cleanup_ssl_certificate_key(TfwCfgSpec *cs)
 {
 	mbedtls_pk_free(&tfw_tls.key);
+	tfw_tls_cgf &= ~TFW_TLS_CFG_F_CKEY;
 }
 
 static int
 tfw_tls_cfgend(void)
 {
-	if ((tfw_tls.crt.version && !tfw_tls.key.pk_ctx) ||
-	    (!tfw_tls.crt.version && tfw_tls.key.pk_ctx)) {
-		TFW_ERR_NL("TLS: SSL certificate/key pair is incomplete\n");
+	if (!(tfw_tls_cgf & TFW_TLS_CFG_F_REQUIRED)) {
+		if (tfw_tls_cgf)
+			TFW_WARN_NL("TLS: no HTTPS listener,"
+				    " configuration ignored\n");
+		return 0;
+	}
+	if (!(tfw_tls_cgf & TFW_TLS_CFG_F_CERT)) {
+		TFW_ERR_NL("TLS: please specify a certificate with"
+			   " tls_certificate configuration option\n");
+		return -EINVAL;
+	}
+	if (!(tfw_tls_cgf & TFW_TLS_CFG_F_CKEY)) {
+		TFW_ERR_NL("TLS: please specify a certificate key with"
+			   " tls_certificate_key configuration option\n");
 		return -EINVAL;
 	}
 

tempesta_fw/tls.h

@@ -1,7 +1,7 @@
 /**
  *		Tempesta FW
  *
- * Copyright (C) 2015 Tempesta Technologies, Inc.
+ * Copyright (C) 2015-2018 Tempesta Technologies, Inc.
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by
@@ -63,5 +63,7 @@ typedef struct {
 	spinlock_t		lock;
 } TfwTlsContext;
 
+void tfw_tls_cfg_require(void);
+
 #endif /* __TFW_TLS_H__ */