REORG: cli: move ssl CLI functions to ssl_sock.c
Move ssl CLI functions to ssl_sock.c and use the cli keyword API to
register ssl actions on the CLI.
diff --git a/src/cli.c b/src/cli.c
index e15fc8a..7565c80 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -146,9 +146,6 @@
static int stats_pats_list(struct stream_interface *si);
static int stats_pat_list(struct stream_interface *si);
static int stats_map_lookup(struct stream_interface *si);
-#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
-static int stats_tlskeys_list(struct stream_interface *si);
-#endif
static int dump_servers_state(struct stream_interface *si, struct chunk *buf);
@@ -193,10 +190,6 @@
" add map : add map entry\n"
" del map : delete map entry\n"
" clear map <id> : clear the content of this map\n"
- " set ssl <stmt> : set statement for ssl\n"
-#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
- " show tls-keys [id|*]: show tls keys references or dump tls ticket keys when id specified\n"
-#endif
"";
static const char stats_permission_denied_msg[] =
@@ -999,50 +992,6 @@
return sv;
}
-/* This function is used with TLS ticket keys management. It permits to browse
- * each reference. The variable <getnext> must contain the current node,
- * <end> point to the root node.
- */
-#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
-static inline
-struct tls_keys_ref *tlskeys_list_get_next(struct tls_keys_ref *getnext, struct list *end)
-{
- struct tls_keys_ref *ref = getnext;
-
- while (1) {
-
- /* Get next list entry. */
- ref = LIST_NEXT(&ref->list, struct tls_keys_ref *, list);
-
- /* If the entry is the last of the list, return NULL. */
- if (&ref->list == end)
- return NULL;
-
- return ref;
- }
-}
-
-static inline
-struct tls_keys_ref *tlskeys_ref_lookup_ref(const char *reference)
-{
- int id;
- char *error;
-
- /* If the reference starts by a '#', this is numeric id. */
- if (reference[0] == '#') {
- /* Try to convert the numeric id. If the conversion fails, the lookup fails. */
- id = strtol(reference + 1, &error, 10);
- if (*error != '\0')
- return NULL;
-
- /* Perform the unique id lookup. */
- return tlskeys_ref_lookupid(id);
- }
-
- /* Perform the string lookup. */
- return tlskeys_ref_lookup(reference);
-}
-#endif
/* This function is used with map and acl management. It permits to browse
* each reference. The variable <getnext> must contain the current node,
@@ -1308,39 +1257,6 @@
else if (strcmp(args[1], "table") == 0) {
stats_sock_table_request(si, args, STAT_CLI_O_TAB);
}
- else if (strcmp(args[1], "tls-keys") == 0) {
-#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
- appctx->ctx.tlskeys.dump_all = 0;
- /* no parameter, shows only file list */
- if (!*args[2]) {
- appctx->ctx.tlskeys.dump_all = 1;
- appctx->st2 = STAT_ST_INIT;
- appctx->st0 = STAT_CLI_O_TLSK;
- return 1;
- }
-
- if (args[2][0] == '*') {
- /* list every TLS ticket keys */
- appctx->ctx.tlskeys.ref = NULL;
- appctx->ctx.tlskeys.dump_all = 1;
- } else {
- appctx->ctx.tlskeys.ref = tlskeys_ref_lookup_ref(args[2]);
- if(!appctx->ctx.tlskeys.ref) {
- appctx->ctx.cli.msg = "'show tls-keys' unable to locate referenced filename\n";
- appctx->st0 = STAT_CLI_PRINT;
- return 1;
- }
- }
- appctx->st2 = STAT_ST_INIT;
- appctx->st0 = STAT_CLI_O_TLSK_ENT;
-
-#else
- appctx->ctx.cli.msg = "HAProxy was compiled against a version of OpenSSL "
- "that doesn't support specifying TLS ticket keys\n";
- appctx->st0 = STAT_CLI_PRINT;
-#endif
- return 1;
- }
else if (strcmp(args[1], "map") == 0 ||
strcmp(args[1], "acl") == 0) {
@@ -2032,88 +1948,7 @@
/* The set is done, send message. */
appctx->st0 = STAT_CLI_PROMPT;
return 1;
- }
-#ifdef USE_OPENSSL
- else if (strcmp(args[1], "ssl") == 0) {
- if (strcmp(args[2], "ocsp-response") == 0) {
-#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
- char *err = NULL;
-
- /* Expect one parameter: the new response in base64 encoding */
- if (!*args[3]) {
- appctx->ctx.cli.msg = "'set ssl ocsp-response' expects response in base64 encoding.\n";
- appctx->st0 = STAT_CLI_PRINT;
- return 1;
- }
-
- trash.len = base64dec(args[3], strlen(args[3]), trash.str, trash.size);
- if (trash.len < 0) {
- appctx->ctx.cli.msg = "'set ssl ocsp-response' received invalid base64 encoded response.\n";
- appctx->st0 = STAT_CLI_PRINT;
- return 1;
- }
-
- if (ssl_sock_update_ocsp_response(&trash, &err)) {
- if (err) {
- memprintf(&err, "%s.\n", err);
- appctx->ctx.cli.err = err;
- appctx->st0 = STAT_CLI_PRINT_FREE;
- }
- return 1;
- }
- appctx->ctx.cli.msg = "OCSP Response updated!";
- appctx->st0 = STAT_CLI_PRINT;
- return 1;
-#else
- appctx->ctx.cli.msg = "HAProxy was compiled against a version of OpenSSL that doesn't support OCSP stapling.\n";
- appctx->st0 = STAT_CLI_PRINT;
- return 1;
-#endif
- }
- else if (strcmp(args[2], "tls-key") == 0) {
-#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
- /* Expect two parameters: the filename and the new new TLS key in encoding */
- if (!*args[3] || !*args[4]) {
- appctx->ctx.cli.msg = "'set ssl tls-key' expects a filename and the new TLS key in base64 encoding.\n";
- appctx->st0 = STAT_CLI_PRINT;
- return 1;
- }
-
- appctx->ctx.tlskeys.ref = tlskeys_ref_lookup_ref(args[3]);
- if(!appctx->ctx.tlskeys.ref) {
- appctx->ctx.cli.msg = "'set ssl tls-key' unable to locate referenced filename\n";
- appctx->st0 = STAT_CLI_PRINT;
- return 1;
- }
-
- trash.len = base64dec(args[4], strlen(args[4]), trash.str, trash.size);
- if (trash.len != sizeof(struct tls_sess_key)) {
- appctx->ctx.cli.msg = "'set ssl tls-key' received invalid base64 encoded TLS key.\n";
- appctx->st0 = STAT_CLI_PRINT;
- return 1;
- }
-
- memcpy(appctx->ctx.tlskeys.ref->tlskeys + ((appctx->ctx.tlskeys.ref->tls_ticket_enc_index + 2) % TLS_TICKETS_NO), trash.str, trash.len);
- appctx->ctx.tlskeys.ref->tls_ticket_enc_index = (appctx->ctx.tlskeys.ref->tls_ticket_enc_index + 1) % TLS_TICKETS_NO;
-
- appctx->ctx.cli.msg = "TLS ticket key updated!";
- appctx->st0 = STAT_CLI_PRINT;
- return 1;
-#else
- appctx->ctx.cli.msg = "HAProxy was compiled against a version of OpenSSL "
- "that doesn't support specifying TLS ticket keys\n";
- appctx->st0 = STAT_CLI_PRINT;
- return 1;
-#endif
- }
- else {
- appctx->ctx.cli.msg = "'set ssl' only supports 'ocsp-response'.\n";
- appctx->st0 = STAT_CLI_PRINT;
- return 1;
- }
- }
-#endif
- else { /* unknown "set" parameter */
+ } else { /* unknown "set" parameter */
return 0;
}
}
@@ -2690,16 +2525,6 @@
if (stats_dump_pools_to_buffer(si))
appctx->st0 = STAT_CLI_PROMPT;
break;
-#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
- case STAT_CLI_O_TLSK:
- if (stats_tlskeys_list(si))
- appctx->st0 = STAT_CLI_PROMPT;
- break;
- case STAT_CLI_O_TLSK_ENT:
- if (stats_tlskeys_list(si))
- appctx->st0 = STAT_CLI_PROMPT;
- break;
-#endif
case STAT_CLI_O_ENV: /* environment dump */
if (stats_dump_env_to_buffer(si))
appctx->st0 = STAT_CLI_PROMPT;
@@ -3457,101 +3282,6 @@
return 1;
}
-#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
-static int stats_tlskeys_list(struct stream_interface *si) {
- struct appctx *appctx = __objt_appctx(si->end);
-
- switch (appctx->st2) {
- case STAT_ST_INIT:
- /* Display the column headers. If the message cannot be sent,
- * quit the fucntion with returning 0. The function is called
- * later and restart at the state "STAT_ST_INIT".
- */
- chunk_reset(&trash);
-
- if (appctx->st0 == STAT_CLI_O_TLSK_ENT)
- chunk_appendf(&trash, "# id secret\n");
- else
- chunk_appendf(&trash, "# id (file)\n");
-
- if (bi_putchk(si_ic(si), &trash) == -1) {
- si_applet_cant_put(si);
- return 0;
- }
-
- appctx->ctx.tlskeys.dump_keys_index = 0;
-
- /* Now, we start the browsing of the references lists.
- * Note that the following call to LIST_ELEM return bad pointer. The only
- * available field of this pointer is <list>. It is used with the function
- * tlskeys_list_get_next() for retruning the first available entry
- */
- if (appctx->ctx.tlskeys.ref == NULL) {
- appctx->ctx.tlskeys.ref = LIST_ELEM(&tlskeys_reference, struct tls_keys_ref *, list);
- appctx->ctx.tlskeys.ref = tlskeys_list_get_next(appctx->ctx.tlskeys.ref, &tlskeys_reference);
- }
-
- appctx->st2 = STAT_ST_LIST;
- /* fall through */
-
- case STAT_ST_LIST:
- while (appctx->ctx.tlskeys.ref) {
- int head = appctx->ctx.tlskeys.ref->tls_ticket_enc_index;
-
- chunk_reset(&trash);
- if (appctx->st0 == STAT_CLI_O_TLSK_ENT && appctx->ctx.tlskeys.dump_keys_index == 0)
- chunk_appendf(&trash, "# ");
- if (appctx->ctx.tlskeys.dump_keys_index == 0)
- chunk_appendf(&trash, "%d (%s)\n", appctx->ctx.tlskeys.ref->unique_id,
- appctx->ctx.tlskeys.ref->filename);
- if (appctx->st0 == STAT_CLI_O_TLSK_ENT) {
- while (appctx->ctx.tlskeys.dump_keys_index < TLS_TICKETS_NO) {
- struct chunk *t2 = get_trash_chunk();
-
- chunk_reset(t2);
- /* should never fail here because we dump only a key in the t2 buffer */
- t2->len = a2base64((char *)(appctx->ctx.tlskeys.ref->tlskeys + (head + 2 + appctx->ctx.tlskeys.dump_keys_index) % TLS_TICKETS_NO),
- sizeof(struct tls_sess_key), t2->str, t2->size);
- chunk_appendf(&trash, "%d.%d %s\n", appctx->ctx.tlskeys.ref->unique_id, appctx->ctx.tlskeys.dump_keys_index, t2->str);
-
- if (bi_putchk(si_ic(si), &trash) == -1) {
- /* let's try again later from this stream. We add ourselves into
- * this stream's users so that it can remove us upon termination.
- */
- si_applet_cant_put(si);
- return 0;
- }
- appctx->ctx.tlskeys.dump_keys_index++;
- }
- appctx->ctx.tlskeys.dump_keys_index = 0;
- }
- if (bi_putchk(si_ic(si), &trash) == -1) {
- /* let's try again later from this stream. We add ourselves into
- * this stream's users so that it can remove us upon termination.
- */
- si_applet_cant_put(si);
- return 0;
- }
-
- if (appctx->ctx.tlskeys.dump_all == 0) /* don't display everything if not necessary */
- break;
-
- /* get next list entry and check the end of the list */
- appctx->ctx.tlskeys.ref = tlskeys_list_get_next(appctx->ctx.tlskeys.ref, &tlskeys_reference);
-
- }
-
- appctx->st2 = STAT_ST_FIN;
- /* fall through */
-
- default:
- appctx->st2 = STAT_ST_FIN;
- return 1;
- }
- return 0;
-}
-#endif
-
static int stats_pats_list(struct stream_interface *si)
{
struct appctx *appctx = __objt_appctx(si->end);