Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 089c13850fe46c9e52db9a84b47f7c6485dd8273 / . / src / ssl_ckch.c
blob: 198ac634ac22dc47f5a4f569f7f2984b747ac893 [file] [log] [blame]
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]1/*
2 *
3 * Copyright (C) 2020 HAProxy Technologies, William Lallemand <wlallemand@haproxy.com>
4 *
5 * This program is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU General Public License
7 * as published by the Free Software Foundation; either version
8 * 2 of the License, or (at your option) any later version.
9 *
10 */
11
12#define _GNU_SOURCE
13#include <ctype.h>
14#include <errno.h>
15#include <fcntl.h>
16#include <stdio.h>
17#include <stdlib.h>
18#include <string.h>
Willy Tarreauaeed4a82020-06-04 22:01:04 +0200[diff] [blame]19#include <syslog.h>
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]20#include <unistd.h>
21
22#include <sys/stat.h>
23#include <sys/types.h>
24
Willy Tarreaub2551052020-06-09 09:07:15 +0200[diff] [blame]25#include <import/ebsttree.h>
26
Willy Tarreau8d366972020-05-27 16:10:29 +0200[diff] [blame]27#include <haproxy/base64.h>
Willy Tarreauf1d32c42020-06-04 21:07:02 +0200[diff] [blame]28#include <haproxy/channel.h>
Willy Tarreau83487a82020-06-04 20:19:54 +0200[diff] [blame]29#include <haproxy/cli.h>
Willy Tarreau8d366972020-05-27 16:10:29 +0200[diff] [blame]30#include <haproxy/errors.h>
Willy Tarreau47d7f902020-06-04 14:25:47 +0200[diff] [blame]31#include <haproxy/ssl_ckch.h>
Willy Tarreau209108d2020-06-04 20:30:20 +0200[diff] [blame]32#include <haproxy/ssl_sock.h>
Willy Tarreaub2bd8652020-06-04 14:21:22 +0200[diff] [blame]33#include <haproxy/ssl_utils.h>
Willy Tarreau5e539c92020-06-04 20:45:39 +0200[diff] [blame]34#include <haproxy/stream_interface.h>
Willy Tarreau48fbcae2020-06-03 18:09:46 +0200[diff] [blame]35#include <haproxy/tools.h>
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]36
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]37/* Uncommitted CKCH transaction */
38
39static struct {
40 struct ckch_store *new_ckchs;
41 struct ckch_store *old_ckchs;
42 char *path;
43} ckchs_transaction;
44
45
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]46
47/******************** cert_key_and_chain functions *************************
48 * These are the functions that fills a cert_key_and_chain structure. For the
49 * functions filling a SSL_CTX from a cert_key_and_chain, see ssl_sock.c
50 */
51
52/*
53 * Try to parse Signed Certificate Timestamp List structure. This function
54 * makes only basic test if the data seems like SCTL. No signature validation
55 * is performed.
56 */
57static int ssl_sock_parse_sctl(struct buffer *sctl)
58{
59 int ret = 1;
60 int len, pos, sct_len;
61 unsigned char *data;
62
63 if (sctl->data < 2)
64 goto out;
65
66 data = (unsigned char *) sctl->area;
67 len = (data[0] << 8) | data[1];
68
69 if (len + 2 != sctl->data)
70 goto out;
71
72 data = data + 2;
73 pos = 0;
74 while (pos < len) {
75 if (len - pos < 2)
76 goto out;
77
78 sct_len = (data[pos] << 8) | data[pos + 1];
79 if (pos + sct_len + 2 > len)
80 goto out;
81
82 pos += sct_len + 2;
83 }
84
85 ret = 0;
86
87out:
88 return ret;
89}
90
91/* Try to load a sctl from a buffer <buf> if not NULL, or read the file <sctl_path>
92 * It fills the ckch->sctl buffer
93 * return 0 on success or != 0 on failure */
94int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct cert_key_and_chain *ckch, char **err)
95{
96 int fd = -1;
97 int r = 0;
98 int ret = 1;
99 struct buffer tmp;
100 struct buffer *src;
101 struct buffer *sctl;
102
103 if (buf) {
104 tmp.area = buf;
105 tmp.data = strlen(buf);
106 tmp.size = tmp.data + 1;
107 src = &tmp;
108 } else {
109 fd = open(sctl_path, O_RDONLY);
110 if (fd == -1)
111 goto end;
112
113 trash.data = 0;
114 while (trash.data < trash.size) {
115 r = read(fd, trash.area + trash.data, trash.size - trash.data);
116 if (r < 0) {
117 if (errno == EINTR)
118 continue;
119 goto end;
120 }
121 else if (r == 0) {
122 break;
123 }
124 trash.data += r;
125 }
126 src = &trash;
127 }
128
129 ret = ssl_sock_parse_sctl(src);
130 if (ret)
131 goto end;
132
133 sctl = calloc(1, sizeof(*sctl));
134 if (!chunk_dup(sctl, src)) {
135 free(sctl);
136 sctl = NULL;
137 goto end;
138 }
139 /* no error, fill ckch with new context, old context must be free */
140 if (ckch->sctl) {
141 free(ckch->sctl->area);
142 ckch->sctl->area = NULL;
143 free(ckch->sctl);
144 }
145 ckch->sctl = sctl;
146 ret = 0;
147end:
148 if (fd != -1)
149 close(fd);
150
151 return ret;
152}
153
154#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
155/*
Ilya Shipitsin46a030c2020-07-05 16:36:08 +0500[diff] [blame]156 * This function load the OCSP Response in DER format contained in file at
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]157 * path 'ocsp_path' or base64 in a buffer <buf>
158 *
159 * Returns 0 on success, 1 in error case.
160 */
161int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *buf, struct cert_key_and_chain *ckch, char **err)
162{
163 int fd = -1;
164 int r = 0;
165 int ret = 1;
166 struct buffer *ocsp_response;
167 struct buffer *src = NULL;
168
169 if (buf) {
170 int i, j;
171 /* if it's from a buffer it will be base64 */
172
173 /* remove \r and \n from the payload */
174 for (i = 0, j = 0; buf[i]; i++) {
175 if (buf[i] == '\r' || buf[i] == '\n')
176 continue;
177 buf[j++] = buf[i];
178 }
179 buf[j] = 0;
180
181 ret = base64dec(buf, j, trash.area, trash.size);
182 if (ret < 0) {
183 memprintf(err, "Error reading OCSP response in base64 format");
184 goto end;
185 }
186 trash.data = ret;
187 src = &trash;
188 } else {
189 fd = open(ocsp_path, O_RDONLY);
190 if (fd == -1) {
191 memprintf(err, "Error opening OCSP response file");
192 goto end;
193 }
194
195 trash.data = 0;
196 while (trash.data < trash.size) {
197 r = read(fd, trash.area + trash.data, trash.size - trash.data);
198 if (r < 0) {
199 if (errno == EINTR)
200 continue;
201
202 memprintf(err, "Error reading OCSP response from file");
203 goto end;
204 }
205 else if (r == 0) {
206 break;
207 }
208 trash.data += r;
209 }
210 close(fd);
211 fd = -1;
212 src = &trash;
213 }
214
215 ocsp_response = calloc(1, sizeof(*ocsp_response));
216 if (!chunk_dup(ocsp_response, src)) {
217 free(ocsp_response);
218 ocsp_response = NULL;
219 goto end;
220 }
221 /* no error, fill ckch with new context, old context must be free */
222 if (ckch->ocsp_response) {
223 free(ckch->ocsp_response->area);
224 ckch->ocsp_response->area = NULL;
225 free(ckch->ocsp_response);
226 }
227 ckch->ocsp_response = ocsp_response;
228 ret = 0;
229end:
230 if (fd != -1)
231 close(fd);
232
233 return ret;
234}
235#endif
236
237/*
238 * Try to load in a ckch every files related to a ckch.
239 * (PEM, sctl, ocsp, issuer etc.)
240 *
241 * This function is only used to load files during the configuration parsing,
242 * it is not used with the CLI.
243 *
244 * This allows us to carry the contents of the file without having to read the
245 * file multiple times. The caller must call
246 * ssl_sock_free_cert_key_and_chain_contents.
247 *
248 * returns:
249 * 0 on Success
250 * 1 on SSL Failure
251 */
252int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *ckch, char **err)
253{
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]254 struct buffer *fp = NULL;
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]255 int ret = 1;
256
257 /* try to load the PEM */
258 if (ssl_sock_load_pem_into_ckch(path, NULL, ckch , err) != 0) {
259 goto end;
260 }
261
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]262 fp = alloc_trash_chunk();
263 if (!fp) {
264 memprintf(err, "%sCan't allocate memory\n", err && *err ? *err : "");
265 goto end;
266 }
267
268 if (!chunk_strcpy(fp, path) || (b_data(fp) > MAXPATHLEN)) {
269 memprintf(err, "%s '%s' filename too long'.\n",
270 err && *err ? *err : "", fp->area);
271 ret = 1;
272 goto end;
273 }
274
William Lallemand089c1382020-10-23 17:35:12 +0200[diff] [blame^]275 /* remove the ".crt" extension */
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]276 if (global_ssl.extra_files_noext) {
277 char *ext;
278
279 /* look for the extension */
280 if ((ext = strrchr(fp->area, '.'))) {
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]281
William Lallemand089c1382020-10-23 17:35:12 +0200[diff] [blame^]282 if (!strcmp(ext, ".crt")) {
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]283 *ext = '\0';
William Lallemand089c1382020-10-23 17:35:12 +0200[diff] [blame^]284 fp->data = strlen(fp->area);
285 }
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]286 }
287
288 }
289
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]290 /* try to load an external private key if it wasn't in the PEM */
291 if ((ckch->key == NULL) && (global_ssl.extra_files & SSL_GF_KEY)) {
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]292 struct stat st;
293
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]294
295 if (!chunk_strcat(fp, ".key") || (b_data(fp) > MAXPATHLEN)) {
296 memprintf(err, "%s '%s' filename too long'.\n",
297 err && *err ? *err : "", fp->area);
298 ret = 1;
299 goto end;
300 }
301
302 if (stat(fp->area, &st) == 0) {
303 if (ssl_sock_load_key_into_ckch(fp->area, NULL, ckch, err)) {
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]304 memprintf(err, "%s '%s' is present but cannot be read or parsed'.\n",
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]305 err && *err ? *err : "", fp->area);
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]306 goto end;
307 }
308 }
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]309
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]310 if (ckch->key == NULL) {
311 memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area);
312 goto end;
313 }
314 /* remove the added extension */
315 *(fp->area + fp->data - strlen(".key")) = '\0';
316 b_sub(fp, strlen(".key"));
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]317 }
318
319 if (!X509_check_private_key(ckch->cert, ckch->key)) {
320 memprintf(err, "%sinconsistencies between private key and certificate loaded '%s'.\n",
321 err && *err ? *err : "", path);
322 goto end;
323 }
324
325#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
326 /* try to load the sctl file */
327 if (global_ssl.extra_files & SSL_GF_SCTL) {
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]328 struct stat st;
329
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]330 if (!chunk_strcat(fp, ".sctl") || b_data(fp) > MAXPATHLEN) {
331 memprintf(err, "%s '%s' filename too long'.\n",
332 err && *err ? *err : "", fp->area);
333 ret = 1;
334 goto end;
335 }
336
337 if (stat(fp->area, &st) == 0) {
338 if (ssl_sock_load_sctl_from_file(fp->area, NULL, ckch, err)) {
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]339 memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n",
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]340 err && *err ? *err : "", fp->area);
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]341 ret = 1;
342 goto end;
343 }
344 }
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]345 /* remove the added extension */
346 *(fp->area + fp->data - strlen(".sctl")) = '\0';
347 b_sub(fp, strlen(".sctl"));
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]348 }
349#endif
350
351 /* try to load an ocsp response file */
352 if (global_ssl.extra_files & SSL_GF_OCSP) {
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]353 struct stat st;
354
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]355 if (!chunk_strcat(fp, ".ocsp") || b_data(fp) > MAXPATHLEN) {
356 memprintf(err, "%s '%s' filename too long'.\n",
357 err && *err ? *err : "", fp->area);
358 ret = 1;
359 goto end;
360 }
361
362 if (stat(fp->area, &st) == 0) {
363 if (ssl_sock_load_ocsp_response_from_file(fp->area, NULL, ckch, err)) {
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]364 ret = 1;
365 goto end;
366 }
367 }
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]368 /* remove the added extension */
369 *(fp->area + fp->data - strlen(".ocsp")) = '\0';
370 b_sub(fp, strlen(".ocsp"));
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]371 }
372
373#ifndef OPENSSL_IS_BORINGSSL /* Useless for BoringSSL */
374 if (ckch->ocsp_response && (global_ssl.extra_files & SSL_GF_OCSP_ISSUER)) {
375 /* if no issuer was found, try to load an issuer from the .issuer */
376 if (!ckch->ocsp_issuer) {
377 struct stat st;
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]378
379 if (!chunk_strcat(fp, ".issuer") || b_data(fp) > MAXPATHLEN) {
380 memprintf(err, "%s '%s' filename too long'.\n",
381 err && *err ? *err : "", fp->area);
382 ret = 1;
383 goto end;
384 }
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]385
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]386 if (stat(fp->area, &st) == 0) {
387 if (ssl_sock_load_issuer_file_into_ckch(fp->area, NULL, ckch, err)) {
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]388 ret = 1;
389 goto end;
390 }
391
392 if (X509_check_issued(ckch->ocsp_issuer, ckch->cert) != X509_V_OK) {
393 memprintf(err, "%s '%s' is not an issuer'.\n",
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]394 err && *err ? *err : "", fp->area);
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]395 ret = 1;
396 goto end;
397 }
398 }
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]399 /* remove the added extension */
400 *(fp->area + fp->data - strlen(".issuer")) = '\0';
401 b_sub(fp, strlen(".issuer"));
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]402 }
403 }
404#endif
405
406 ret = 0;
407
408end:
409
410 ERR_clear_error();
411
412 /* Something went wrong in one of the reads */
413 if (ret != 0)
414 ssl_sock_free_cert_key_and_chain_contents(ckch);
415
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]416 free_trash_chunk(fp);
417
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]418 return ret;
419}
420
421/*
422 * Try to load a private key file from a <path> or a buffer <buf>
423 *
424 * If it failed you should not attempt to use the ckch but free it.
425 *
426 * Return 0 on success or != 0 on failure
427 */
428int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch , char **err)
429{
430 BIO *in = NULL;
431 int ret = 1;
432 EVP_PKEY *key = NULL;
433
434 if (buf) {
435 /* reading from a buffer */
436 in = BIO_new_mem_buf(buf, -1);
437 if (in == NULL) {
438 memprintf(err, "%sCan't allocate memory\n", err && *err ? *err : "");
439 goto end;
440 }
441
442 } else {
443 /* reading from a file */
444 in = BIO_new(BIO_s_file());
445 if (in == NULL)
446 goto end;
447
448 if (BIO_read_filename(in, path) <= 0)
449 goto end;
450 }
451
452 /* Read Private Key */
453 key = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
454 if (key == NULL) {
455 memprintf(err, "%sunable to load private key from file '%s'.\n",
456 err && *err ? *err : "", path);
457 goto end;
458 }
459
460 ret = 0;
461
462 SWAP(ckch->key, key);
463
464end:
465
466 ERR_clear_error();
467 if (in)
468 BIO_free(in);
469 if (key)
470 EVP_PKEY_free(key);
471
472 return ret;
473}
474
475/*
476 * Try to load a PEM file from a <path> or a buffer <buf>
477 * The PEM must contain at least a Certificate,
478 * It could contain a DH, a certificate chain and a PrivateKey.
479 *
480 * If it failed you should not attempt to use the ckch but free it.
481 *
482 * Return 0 on success or != 0 on failure
483 */
484int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch , char **err)
485{
486 BIO *in = NULL;
487 int ret = 1;
488 X509 *ca;
489 X509 *cert = NULL;
490 EVP_PKEY *key = NULL;
491 DH *dh = NULL;
492 STACK_OF(X509) *chain = NULL;
493
494 if (buf) {
495 /* reading from a buffer */
496 in = BIO_new_mem_buf(buf, -1);
497 if (in == NULL) {
498 memprintf(err, "%sCan't allocate memory\n", err && *err ? *err : "");
499 goto end;
500 }
501
502 } else {
503 /* reading from a file */
504 in = BIO_new(BIO_s_file());
505 if (in == NULL) {
506 memprintf(err, "%sCan't allocate memory\n", err && *err ? *err : "");
507 goto end;
508 }
509
510 if (BIO_read_filename(in, path) <= 0) {
511 memprintf(err, "%scannot open the file '%s'.\n",
512 err && *err ? *err : "", path);
513 goto end;
514 }
515 }
516
517 /* Read Private Key */
518 key = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
519 /* no need to check for errors here, because the private key could be loaded later */
520
521#ifndef OPENSSL_NO_DH
522 /* Seek back to beginning of file */
523 if (BIO_reset(in) == -1) {
524 memprintf(err, "%san error occurred while reading the file '%s'.\n",
525 err && *err ? *err : "", path);
526 goto end;
527 }
528
529 dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
530 /* no need to return an error there, dh is not mandatory */
531#endif
532
533 /* Seek back to beginning of file */
534 if (BIO_reset(in) == -1) {
535 memprintf(err, "%san error occurred while reading the file '%s'.\n",
536 err && *err ? *err : "", path);
537 goto end;
538 }
539
540 /* Read Certificate */
541 cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
542 if (cert == NULL) {
543 memprintf(err, "%sunable to load certificate from file '%s'.\n",
544 err && *err ? *err : "", path);
545 goto end;
546 }
547
548 /* Look for a Certificate Chain */
549 while ((ca = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
550 if (chain == NULL)
551 chain = sk_X509_new_null();
552 if (!sk_X509_push(chain, ca)) {
553 X509_free(ca);
554 goto end;
555 }
556 }
557
558 ret = ERR_get_error();
559 if (ret && (ERR_GET_LIB(ret) != ERR_LIB_PEM && ERR_GET_REASON(ret) != PEM_R_NO_START_LINE)) {
560 memprintf(err, "%sunable to load certificate chain from file '%s'.\n",
561 err && *err ? *err : "", path);
562 goto end;
563 }
564
565 /* once it loaded the PEM, it should remove everything else in the ckch */
566 if (ckch->ocsp_response) {
567 free(ckch->ocsp_response->area);
568 ckch->ocsp_response->area = NULL;
569 free(ckch->ocsp_response);
570 ckch->ocsp_response = NULL;
571 }
572
573 if (ckch->sctl) {
574 free(ckch->sctl->area);
575 ckch->sctl->area = NULL;
576 free(ckch->sctl);
577 ckch->sctl = NULL;
578 }
579
580 if (ckch->ocsp_issuer) {
581 X509_free(ckch->ocsp_issuer);
582 ckch->ocsp_issuer = NULL;
583 }
584
585 /* no error, fill ckch with new context, old context will be free at end: */
586 SWAP(ckch->key, key);
587 SWAP(ckch->dh, dh);
588 SWAP(ckch->cert, cert);
589 SWAP(ckch->chain, chain);
590
591 ret = 0;
592
593end:
594
595 ERR_clear_error();
596 if (in)
597 BIO_free(in);
598 if (key)
599 EVP_PKEY_free(key);
600 if (dh)
601 DH_free(dh);
602 if (cert)
603 X509_free(cert);
604 if (chain)
605 sk_X509_pop_free(chain, X509_free);
606
607 return ret;
608}
609
610/* Frees the contents of a cert_key_and_chain
611 */
612void ssl_sock_free_cert_key_and_chain_contents(struct cert_key_and_chain *ckch)
613{
614 if (!ckch)
615 return;
616
617 /* Free the certificate and set pointer to NULL */
618 if (ckch->cert)
619 X509_free(ckch->cert);
620 ckch->cert = NULL;
621
622 /* Free the key and set pointer to NULL */
623 if (ckch->key)
624 EVP_PKEY_free(ckch->key);
625 ckch->key = NULL;
626
627 /* Free each certificate in the chain */
628 if (ckch->chain)
629 sk_X509_pop_free(ckch->chain, X509_free);
630 ckch->chain = NULL;
631
632 if (ckch->dh)
633 DH_free(ckch->dh);
634 ckch->dh = NULL;
635
636 if (ckch->sctl) {
637 free(ckch->sctl->area);
638 ckch->sctl->area = NULL;
639 free(ckch->sctl);
640 ckch->sctl = NULL;
641 }
642
643 if (ckch->ocsp_response) {
644 free(ckch->ocsp_response->area);
645 ckch->ocsp_response->area = NULL;
646 free(ckch->ocsp_response);
647 ckch->ocsp_response = NULL;
648 }
649
650 if (ckch->ocsp_issuer)
651 X509_free(ckch->ocsp_issuer);
652 ckch->ocsp_issuer = NULL;
653}
654
655/*
656 *
657 * This function copy a cert_key_and_chain in memory
658 *
659 * It's used to try to apply changes on a ckch before committing them, because
660 * most of the time it's not possible to revert those changes
661 *
662 * Return a the dst or NULL
663 */
664struct cert_key_and_chain *ssl_sock_copy_cert_key_and_chain(struct cert_key_and_chain *src,
665 struct cert_key_and_chain *dst)
666{
667 if (src->cert) {
668 dst->cert = src->cert;
669 X509_up_ref(src->cert);
670 }
671
672 if (src->key) {
673 dst->key = src->key;
674 EVP_PKEY_up_ref(src->key);
675 }
676
677 if (src->chain) {
678 dst->chain = X509_chain_up_ref(src->chain);
679 }
680
681 if (src->dh) {
682 DH_up_ref(src->dh);
683 dst->dh = src->dh;
684 }
685
686 if (src->sctl) {
687 struct buffer *sctl;
688
689 sctl = calloc(1, sizeof(*sctl));
690 if (!chunk_dup(sctl, src->sctl)) {
691 free(sctl);
692 sctl = NULL;
693 goto error;
694 }
695 dst->sctl = sctl;
696 }
697
698 if (src->ocsp_response) {
699 struct buffer *ocsp_response;
700
701 ocsp_response = calloc(1, sizeof(*ocsp_response));
702 if (!chunk_dup(ocsp_response, src->ocsp_response)) {
703 free(ocsp_response);
704 ocsp_response = NULL;
705 goto error;
706 }
707 dst->ocsp_response = ocsp_response;
708 }
709
710 if (src->ocsp_issuer) {
711 X509_up_ref(src->ocsp_issuer);
712 dst->ocsp_issuer = src->ocsp_issuer;
713 }
714
715 return dst;
716
717error:
718
719 /* free everything */
720 ssl_sock_free_cert_key_and_chain_contents(dst);
721
722 return NULL;
723}
724
725/*
726 * return 0 on success or != 0 on failure
727 */
728int ssl_sock_load_issuer_file_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch, char **err)
729{
730 int ret = 1;
731 BIO *in = NULL;
732 X509 *issuer;
733
734 if (buf) {
735 /* reading from a buffer */
736 in = BIO_new_mem_buf(buf, -1);
737 if (in == NULL) {
738 memprintf(err, "%sCan't allocate memory\n", err && *err ? *err : "");
739 goto end;
740 }
741
742 } else {
743 /* reading from a file */
744 in = BIO_new(BIO_s_file());
745 if (in == NULL)
746 goto end;
747
748 if (BIO_read_filename(in, path) <= 0)
749 goto end;
750 }
751
752 issuer = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
753 if (!issuer) {
754 memprintf(err, "%s'%s' cannot be read or parsed'.\n",
755 err && *err ? *err : "", path);
756 goto end;
757 }
758 /* no error, fill ckch with new context, old context must be free */
759 if (ckch->ocsp_issuer)
760 X509_free(ckch->ocsp_issuer);
761 ckch->ocsp_issuer = issuer;
762 ret = 0;
763
764end:
765
766 ERR_clear_error();
767 if (in)
768 BIO_free(in);
769
770 return ret;
771}
772
773/******************** ckch_store functions ***********************************
774 * The ckch_store is a structure used to cache and index the SSL files used in
775 * configuration
776 */
777
778/*
779 * Free a ckch_store, its ckch, its instances and remove it from the ebtree
780 */
781void ckch_store_free(struct ckch_store *store)
782{
783 struct ckch_inst *inst, *inst_s;
784
785 if (!store)
786 return;
787
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200[diff] [blame]788 ssl_sock_free_cert_key_and_chain_contents(store->ckch);
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]789
790 free(store->ckch);
791 store->ckch = NULL;
792
793 list_for_each_entry_safe(inst, inst_s, &store->ckch_inst, by_ckchs) {
794 ckch_inst_free(inst);
795 }
796 ebmb_delete(&store->node);
797 free(store);
798}
799
800/*
801 * create and initialize a ckch_store
802 * <path> is the key name
803 * <nmemb> is the number of store->ckch objects to allocate
804 *
805 * Return a ckch_store or NULL upon failure.
806 */
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200[diff] [blame]807struct ckch_store *ckch_store_new(const char *filename)
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]808{
809 struct ckch_store *store;
810 int pathlen;
811
812 pathlen = strlen(filename);
813 store = calloc(1, sizeof(*store) + pathlen + 1);
814 if (!store)
815 return NULL;
816
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]817 memcpy(store->path, filename, pathlen + 1);
818
819 LIST_INIT(&store->ckch_inst);
820 LIST_INIT(&store->crtlist_entry);
821
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200[diff] [blame]822 store->ckch = calloc(1, sizeof(*store->ckch));
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]823 if (!store->ckch)
824 goto error;
825
826 return store;
827error:
828 ckch_store_free(store);
829 return NULL;
830}
831
832/* allocate and duplicate a ckch_store
833 * Return a new ckch_store or NULL */
834struct ckch_store *ckchs_dup(const struct ckch_store *src)
835{
836 struct ckch_store *dst;
837
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200[diff] [blame]838 dst = ckch_store_new(src->path);
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]839
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200[diff] [blame]840 if (!ssl_sock_copy_cert_key_and_chain(src->ckch, dst->ckch))
841 goto error;
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]842
843 return dst;
844
845error:
846 ckch_store_free(dst);
847
848 return NULL;
849}
850
851/*
852 * lookup a path into the ckchs tree.
853 */
854struct ckch_store *ckchs_lookup(char *path)
855{
856 struct ebmb_node *eb;
857
858 eb = ebst_lookup(&ckchs_tree, path);
859 if (!eb)
860 return NULL;
861
862 return ebmb_entry(eb, struct ckch_store, node);
863}
864
865/*
866 * This function allocate a ckch_store and populate it with certificates from files.
867 */
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200[diff] [blame]868struct ckch_store *ckchs_load_cert_file(char *path, char **err)
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]869{
870 struct ckch_store *ckchs;
871
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200[diff] [blame]872 ckchs = ckch_store_new(path);
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]873 if (!ckchs) {
874 memprintf(err, "%sunable to allocate memory.\n", err && *err ? *err : "");
875 goto end;
876 }
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]877
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200[diff] [blame]878 if (ssl_sock_load_files_into_ckch(path, ckchs->ckch, err) == 1)
879 goto end;
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]880
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200[diff] [blame]881 /* insert into the ckchs tree */
882 memcpy(ckchs->path, path, strlen(path) + 1);
883 ebst_insert(&ckchs_tree, &ckchs->node);
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]884 return ckchs;
885
886end:
887 ckch_store_free(ckchs);
888
889 return NULL;
890}
891
William Lallemandfa1d8b42020-05-13 15:46:10 +0200[diff] [blame]892
893/******************** ckch_inst functions ******************************/
894
895/* unlink a ckch_inst, free all SNIs, free the ckch_inst */
896/* The caller must use the lock of the bind_conf if used with inserted SNIs */
897void ckch_inst_free(struct ckch_inst *inst)
898{
899 struct sni_ctx *sni, *sni_s;
900
901 if (inst == NULL)
902 return;
903
904 list_for_each_entry_safe(sni, sni_s, &inst->sni_ctx, by_ckch_inst) {
905 SSL_CTX_free(sni->ctx);
906 LIST_DEL(&sni->by_ckch_inst);
907 ebmb_delete(&sni->name);
908 free(sni);
909 }
910 LIST_DEL(&inst->by_ckchs);
911 LIST_DEL(&inst->by_crtlist_entry);
912 free(inst);
913}
914
915/* Alloc and init a ckch_inst */
916struct ckch_inst *ckch_inst_new()
917{
918 struct ckch_inst *ckch_inst;
919
920 ckch_inst = calloc(1, sizeof *ckch_inst);
921 if (!ckch_inst)
922 return NULL;
923
924 LIST_INIT(&ckch_inst->sni_ctx);
925 LIST_INIT(&ckch_inst->by_ckchs);
926 LIST_INIT(&ckch_inst->by_crtlist_entry);
927
928 return ckch_inst;
929}
930
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]931/*************************** CLI commands ***********************/
932
933/* Type of SSL payloads that can be updated over the CLI */
934
935enum {
936 CERT_TYPE_PEM = 0,
937 CERT_TYPE_KEY,
938#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
939 CERT_TYPE_OCSP,
940#endif
941 CERT_TYPE_ISSUER,
942#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
943 CERT_TYPE_SCTL,
944#endif
945 CERT_TYPE_MAX,
946};
947
948struct {
949 const char *ext;
950 int type;
951 int (*load)(const char *path, char *payload, struct cert_key_and_chain *ckch, char **err);
952 /* add a parsing callback */
953} cert_exts[CERT_TYPE_MAX+1] = {
954 [CERT_TYPE_PEM] = { "", CERT_TYPE_PEM, &ssl_sock_load_pem_into_ckch }, /* default mode, no extensions */
955 [CERT_TYPE_KEY] = { "key", CERT_TYPE_KEY, &ssl_sock_load_key_into_ckch },
956#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
957 [CERT_TYPE_OCSP] = { "ocsp", CERT_TYPE_OCSP, &ssl_sock_load_ocsp_response_from_file },
958#endif
959#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
960 [CERT_TYPE_SCTL] = { "sctl", CERT_TYPE_SCTL, &ssl_sock_load_sctl_from_file },
961#endif
962 [CERT_TYPE_ISSUER] = { "issuer", CERT_TYPE_ISSUER, &ssl_sock_load_issuer_file_into_ckch },
963 [CERT_TYPE_MAX] = { NULL, CERT_TYPE_MAX, NULL },
964};
965
966
967/* release function of the `show ssl cert' command */
968static void cli_release_show_cert(struct appctx *appctx)
969{
970 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
971}
972
973/* IO handler of "show ssl cert <filename>" */
974static int cli_io_handler_show_cert(struct appctx *appctx)
975{
976 struct buffer *trash = alloc_trash_chunk();
977 struct ebmb_node *node;
978 struct stream_interface *si = appctx->owner;
979 struct ckch_store *ckchs;
980
981 if (trash == NULL)
982 return 1;
983
984 if (!appctx->ctx.ssl.old_ckchs) {
985 if (ckchs_transaction.old_ckchs) {
986 ckchs = ckchs_transaction.old_ckchs;
987 chunk_appendf(trash, "# transaction\n");
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]988 chunk_appendf(trash, "*%s\n", ckchs->path);
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]989 }
990 }
991
992 if (!appctx->ctx.cli.p0) {
993 chunk_appendf(trash, "# filename\n");
994 node = ebmb_first(&ckchs_tree);
995 } else {
996 node = &((struct ckch_store *)appctx->ctx.cli.p0)->node;
997 }
998 while (node) {
999 ckchs = ebmb_entry(node, struct ckch_store, node);
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1000 chunk_appendf(trash, "%s\n", ckchs->path);
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1001
1002 node = ebmb_next(node);
1003 if (ci_putchk(si_ic(si), trash) == -1) {
1004 si_rx_room_blk(si);
1005 goto yield;
1006 }
1007 }
1008
1009 appctx->ctx.cli.p0 = NULL;
1010 free_trash_chunk(trash);
1011 return 1;
1012yield:
1013
1014 free_trash_chunk(trash);
1015 appctx->ctx.cli.p0 = ckchs;
1016 return 0; /* should come back */
1017}
1018
1019/*
1020 * Extract and format the DNS SAN extensions and copy result into a chuink
1021 * Return 0;
1022 */
1023#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
1024static int ssl_sock_get_san_oneline(X509 *cert, struct buffer *out)
1025{
1026 int i;
1027 char *str;
1028 STACK_OF(GENERAL_NAME) *names = NULL;
1029
1030 names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
1031 if (names) {
1032 for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
1033 GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i);
1034 if (i > 0)
1035 chunk_appendf(out, ", ");
1036 if (name->type == GEN_DNS) {
1037 if (ASN1_STRING_to_UTF8((unsigned char **)&str, name->d.dNSName) >= 0) {
1038 chunk_appendf(out, "DNS:%s", str);
1039 OPENSSL_free(str);
1040 }
1041 }
1042 }
1043 sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
1044 }
1045 return 0;
1046}
1047#endif
1048
1049
1050
1051
1052/* IO handler of the details "show ssl cert <filename>" */
1053static int cli_io_handler_show_cert_detail(struct appctx *appctx)
1054{
1055 struct stream_interface *si = appctx->owner;
1056 struct ckch_store *ckchs = appctx->ctx.cli.p0;
1057 struct buffer *out = alloc_trash_chunk();
1058 struct buffer *tmp = alloc_trash_chunk();
1059 X509_NAME *name = NULL;
1060 STACK_OF(X509) *chain;
1061 unsigned int len = 0;
1062 int write = -1;
1063 BIO *bio = NULL;
1064 int i;
1065
1066 if (!tmp || !out)
1067 goto end_no_putchk;
1068
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1069 chunk_appendf(out, "Filename: ");
1070 if (ckchs == ckchs_transaction.new_ckchs)
1071 chunk_appendf(out, "*");
1072 chunk_appendf(out, "%s\n", ckchs->path);
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1073
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1074 chunk_appendf(out, "Status: ");
1075 if (ckchs->ckch->cert == NULL)
1076 chunk_appendf(out, "Empty\n");
1077 else if (LIST_ISEMPTY(&ckchs->ckch_inst))
1078 chunk_appendf(out, "Unused\n");
1079 else
1080 chunk_appendf(out, "Used\n");
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1081
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1082 if (ckchs->ckch->cert == NULL)
1083 goto end;
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1084
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1085 chain = ckchs->ckch->chain;
1086 if (chain == NULL) {
1087 struct issuer_chain *issuer;
1088 issuer = ssl_get0_issuer_chain(ckchs->ckch->cert);
1089 if (issuer) {
1090 chain = issuer->chain;
1091 chunk_appendf(out, "Chain Filename: ");
1092 chunk_appendf(out, "%s\n", issuer->path);
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1093 }
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1094 }
1095 chunk_appendf(out, "Serial: ");
1096 if (ssl_sock_get_serial(ckchs->ckch->cert, tmp) == -1)
1097 goto end;
1098 dump_binary(out, tmp->area, tmp->data);
1099 chunk_appendf(out, "\n");
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1100
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1101 chunk_appendf(out, "notBefore: ");
1102 chunk_reset(tmp);
1103 if ((bio = BIO_new(BIO_s_mem())) == NULL)
1104 goto end;
1105 if (ASN1_TIME_print(bio, X509_getm_notBefore(ckchs->ckch->cert)) == 0)
1106 goto end;
1107 write = BIO_read(bio, tmp->area, tmp->size-1);
1108 tmp->area[write] = '\0';
1109 BIO_free(bio);
1110 bio = NULL;
1111 chunk_appendf(out, "%s\n", tmp->area);
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1112
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1113 chunk_appendf(out, "notAfter: ");
1114 chunk_reset(tmp);
1115 if ((bio = BIO_new(BIO_s_mem())) == NULL)
1116 goto end;
1117 if (ASN1_TIME_print(bio, X509_getm_notAfter(ckchs->ckch->cert)) == 0)
1118 goto end;
1119 if ((write = BIO_read(bio, tmp->area, tmp->size-1)) <= 0)
1120 goto end;
1121 tmp->area[write] = '\0';
1122 BIO_free(bio);
1123 bio = NULL;
1124 chunk_appendf(out, "%s\n", tmp->area);
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1125
1126#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1127 chunk_appendf(out, "Subject Alternative Name: ");
1128 if (ssl_sock_get_san_oneline(ckchs->ckch->cert, out) == -1)
1129 goto end;
1130 *(out->area + out->data) = '\0';
1131 chunk_appendf(out, "\n");
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1132#endif
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1133 chunk_reset(tmp);
1134 chunk_appendf(out, "Algorithm: ");
1135 if (cert_get_pkey_algo(ckchs->ckch->cert, tmp) == 0)
1136 goto end;
1137 chunk_appendf(out, "%s\n", tmp->area);
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1138
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1139 chunk_reset(tmp);
1140 chunk_appendf(out, "SHA1 FingerPrint: ");
1141 if (X509_digest(ckchs->ckch->cert, EVP_sha1(), (unsigned char *) tmp->area, &len) == 0)
1142 goto end;
1143 tmp->data = len;
1144 dump_binary(out, tmp->area, tmp->data);
1145 chunk_appendf(out, "\n");
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1146
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1147 chunk_appendf(out, "Subject: ");
1148 if ((name = X509_get_subject_name(ckchs->ckch->cert)) == NULL)
1149 goto end;
1150 if ((ssl_sock_get_dn_oneline(name, tmp)) == -1)
1151 goto end;
1152 *(tmp->area + tmp->data) = '\0';
1153 chunk_appendf(out, "%s\n", tmp->area);
1154
1155 chunk_appendf(out, "Issuer: ");
1156 if ((name = X509_get_issuer_name(ckchs->ckch->cert)) == NULL)
1157 goto end;
1158 if ((ssl_sock_get_dn_oneline(name, tmp)) == -1)
1159 goto end;
1160 *(tmp->area + tmp->data) = '\0';
1161 chunk_appendf(out, "%s\n", tmp->area);
1162
1163 /* Displays subject of each certificate in the chain */
1164 for (i = 0; i < sk_X509_num(chain); i++) {
1165 X509 *ca = sk_X509_value(chain, i);
1166
1167 chunk_appendf(out, "Chain Subject: ");
1168 if ((name = X509_get_subject_name(ca)) == NULL)
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1169 goto end;
1170 if ((ssl_sock_get_dn_oneline(name, tmp)) == -1)
1171 goto end;
1172 *(tmp->area + tmp->data) = '\0';
1173 chunk_appendf(out, "%s\n", tmp->area);
1174
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1175 chunk_appendf(out, "Chain Issuer: ");
1176 if ((name = X509_get_issuer_name(ca)) == NULL)
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1177 goto end;
1178 if ((ssl_sock_get_dn_oneline(name, tmp)) == -1)
1179 goto end;
1180 *(tmp->area + tmp->data) = '\0';
1181 chunk_appendf(out, "%s\n", tmp->area);
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1182 }
1183
1184end:
1185 if (ci_putchk(si_ic(si), out) == -1) {
1186 si_rx_room_blk(si);
1187 goto yield;
1188 }
1189
1190end_no_putchk:
1191 if (bio)
1192 BIO_free(bio);
1193 free_trash_chunk(tmp);
1194 free_trash_chunk(out);
1195 return 1;
1196yield:
1197 free_trash_chunk(tmp);
1198 free_trash_chunk(out);
1199 return 0; /* should come back */
1200}
1201
1202/* parsing function for 'show ssl cert [certfile]' */
1203static int cli_parse_show_cert(char **args, char *payload, struct appctx *appctx, void *private)
1204{
1205 struct ckch_store *ckchs;
1206
1207 if (!cli_has_level(appctx, ACCESS_LVL_OPER))
1208 return cli_err(appctx, "Can't allocate memory!\n");
1209
1210 /* The operations on the CKCH architecture are locked so we can
1211 * manipulate ckch_store and ckch_inst */
1212 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
1213 return cli_err(appctx, "Can't show!\nOperations on certificates are currently locked!\n");
1214
1215 /* check if there is a certificate to lookup */
1216 if (*args[3]) {
1217 if (*args[3] == '*') {
1218 if (!ckchs_transaction.new_ckchs)
1219 goto error;
1220
1221 ckchs = ckchs_transaction.new_ckchs;
1222
1223 if (strcmp(args[3] + 1, ckchs->path))
1224 goto error;
1225
1226 } else {
1227 if ((ckchs = ckchs_lookup(args[3])) == NULL)
1228 goto error;
1229
1230 }
1231
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1232 appctx->ctx.cli.p0 = ckchs;
1233 /* use the IO handler that shows details */
1234 appctx->io_handler = cli_io_handler_show_cert_detail;
1235 }
1236
1237 return 0;
1238
1239error:
1240 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
1241 return cli_err(appctx, "Can't display the certificate: Not found or the certificate is a bundle!\n");
1242}
1243
1244/* release function of the `set ssl cert' command, free things and unlock the spinlock */
1245static void cli_release_commit_cert(struct appctx *appctx)
1246{
1247 struct ckch_store *new_ckchs;
1248
1249 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
1250
1251 if (appctx->st2 != SETCERT_ST_FIN) {
1252 /* free every new sni_ctx and the new store, which are not in the trees so no spinlock there */
1253 new_ckchs = appctx->ctx.ssl.new_ckchs;
1254
1255 /* if the allocation failed, we need to free everything from the temporary list */
1256 ckch_store_free(new_ckchs);
1257 }
1258}
1259
1260/*
1261 * This function tries to create the new ckch_inst and their SNIs
1262 */
1263static int cli_io_handler_commit_cert(struct appctx *appctx)
1264{
1265 struct stream_interface *si = appctx->owner;
1266 int y = 0;
1267 char *err = NULL;
1268 int errcode = 0;
1269 struct ckch_store *old_ckchs, *new_ckchs = NULL;
1270 struct ckch_inst *ckchi, *ckchis;
1271 struct buffer *trash = alloc_trash_chunk();
1272 struct sni_ctx *sc0, *sc0s;
1273 struct crtlist_entry *entry;
1274
1275 if (trash == NULL)
1276 goto error;
1277
1278 if (unlikely(si_ic(si)->flags & (CF_WRITE_ERROR|CF_SHUTW)))
1279 goto error;
1280
1281 while (1) {
1282 switch (appctx->st2) {
1283 case SETCERT_ST_INIT:
1284 /* This state just print the update message */
1285 chunk_printf(trash, "Committing %s", ckchs_transaction.path);
1286 if (ci_putchk(si_ic(si), trash) == -1) {
1287 si_rx_room_blk(si);
1288 goto yield;
1289 }
1290 appctx->st2 = SETCERT_ST_GEN;
1291 /* fallthrough */
1292 case SETCERT_ST_GEN:
1293 /*
1294 * This state generates the ckch instances with their
1295 * sni_ctxs and SSL_CTX.
1296 *
1297 * Since the SSL_CTX generation can be CPU consumer, we
1298 * yield every 10 instances.
1299 */
1300
1301 old_ckchs = appctx->ctx.ssl.old_ckchs;
1302 new_ckchs = appctx->ctx.ssl.new_ckchs;
1303
1304 if (!new_ckchs)
1305 continue;
1306
1307 /* get the next ckchi to regenerate */
1308 ckchi = appctx->ctx.ssl.next_ckchi;
1309 /* we didn't start yet, set it to the first elem */
1310 if (ckchi == NULL)
1311 ckchi = LIST_ELEM(old_ckchs->ckch_inst.n, typeof(ckchi), by_ckchs);
1312
1313 /* walk through the old ckch_inst and creates new ckch_inst using the updated ckchs */
1314 list_for_each_entry_from(ckchi, &old_ckchs->ckch_inst, by_ckchs) {
1315 struct ckch_inst *new_inst;
1316 char **sni_filter = NULL;
1317 int fcount = 0;
1318
1319 /* it takes a lot of CPU to creates SSL_CTXs, so we yield every 10 CKCH instances */
1320 if (y >= 10) {
1321 /* save the next ckchi to compute */
1322 appctx->ctx.ssl.next_ckchi = ckchi;
1323 goto yield;
1324 }
1325
1326 if (ckchi->crtlist_entry) {
1327 sni_filter = ckchi->crtlist_entry->filters;
1328 fcount = ckchi->crtlist_entry->fcount;
1329 }
1330
William Lallemand95fefa12020-09-09 12:01:33 +0200[diff] [blame]1331 errcode |= ckch_inst_new_load_store(new_ckchs->path, new_ckchs, ckchi->bind_conf, ckchi->ssl_conf, sni_filter, fcount, &new_inst, &err);
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1332
1333 if (errcode & ERR_CODE)
1334 goto error;
1335
1336 /* if the previous ckchi was used as the default */
1337 if (ckchi->is_default)
1338 new_inst->is_default = 1;
1339
1340 /* we need to initialize the SSL_CTX generated */
1341 /* this iterate on the newly generated SNIs in the new instance to prepare their SSL_CTX */
1342 list_for_each_entry_safe(sc0, sc0s, &new_inst->sni_ctx, by_ckch_inst) {
1343 if (!sc0->order) { /* we initialized only the first SSL_CTX because it's the same in the other sni_ctx's */
1344 errcode |= ssl_sock_prepare_ctx(ckchi->bind_conf, ckchi->ssl_conf, sc0->ctx, &err);
1345 if (errcode & ERR_CODE)
1346 goto error;
1347 }
1348 }
1349
1350
1351 /* display one dot per new instance */
1352 chunk_appendf(trash, ".");
1353 /* link the new ckch_inst to the duplicate */
1354 LIST_ADDQ(&new_ckchs->ckch_inst, &new_inst->by_ckchs);
1355 y++;
1356 }
1357 appctx->st2 = SETCERT_ST_INSERT;
1358 /* fallthrough */
1359 case SETCERT_ST_INSERT:
1360 /* The generation is finished, we can insert everything */
1361
1362 old_ckchs = appctx->ctx.ssl.old_ckchs;
1363 new_ckchs = appctx->ctx.ssl.new_ckchs;
1364
1365 if (!new_ckchs)
1366 continue;
1367
1368 /* get the list of crtlist_entry in the old store, and update the pointers to the store */
1369 LIST_SPLICE(&new_ckchs->crtlist_entry, &old_ckchs->crtlist_entry);
1370 list_for_each_entry(entry, &new_ckchs->crtlist_entry, by_ckch_store) {
1371 ebpt_delete(&entry->node);
1372 /* change the ptr and reinsert the node */
1373 entry->node.key = new_ckchs;
1374 ebpt_insert(&entry->crtlist->entries, &entry->node);
1375 }
1376
1377 /* First, we insert every new SNIs in the trees, also replace the default_ctx */
1378 list_for_each_entry_safe(ckchi, ckchis, &new_ckchs->ckch_inst, by_ckchs) {
1379 HA_RWLOCK_WRLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock);
1380 ssl_sock_load_cert_sni(ckchi, ckchi->bind_conf);
1381 HA_RWLOCK_WRUNLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock);
1382 }
1383
1384 /* delete the old sni_ctx, the old ckch_insts and the ckch_store */
1385 list_for_each_entry_safe(ckchi, ckchis, &old_ckchs->ckch_inst, by_ckchs) {
1386 struct bind_conf __maybe_unused *bind_conf = ckchi->bind_conf;
1387
1388 HA_RWLOCK_WRLOCK(SNI_LOCK, &bind_conf->sni_lock);
1389 ckch_inst_free(ckchi);
1390 HA_RWLOCK_WRUNLOCK(SNI_LOCK, &bind_conf->sni_lock);
1391 }
1392
1393 /* Replace the old ckchs by the new one */
1394 ckch_store_free(old_ckchs);
1395 ebst_insert(&ckchs_tree, &new_ckchs->node);
1396 appctx->st2 = SETCERT_ST_FIN;
1397 /* fallthrough */
1398 case SETCERT_ST_FIN:
1399 /* we achieved the transaction, we can set everything to NULL */
1400 free(ckchs_transaction.path);
1401 ckchs_transaction.path = NULL;
1402 ckchs_transaction.new_ckchs = NULL;
1403 ckchs_transaction.old_ckchs = NULL;
1404 goto end;
1405 }
1406 }
1407end:
1408
1409 chunk_appendf(trash, "\n");
1410 if (errcode & ERR_WARN)
1411 chunk_appendf(trash, "%s", err);
1412 chunk_appendf(trash, "Success!\n");
1413 if (ci_putchk(si_ic(si), trash) == -1)
1414 si_rx_room_blk(si);
1415 free_trash_chunk(trash);
1416 /* success: call the release function and don't come back */
1417 return 1;
1418yield:
1419 /* store the state */
1420 if (ci_putchk(si_ic(si), trash) == -1)
1421 si_rx_room_blk(si);
1422 free_trash_chunk(trash);
1423 si_rx_endp_more(si); /* let's come back later */
1424 return 0; /* should come back */
1425
1426error:
1427 /* spin unlock and free are done in the release function */
1428 if (trash) {
1429 chunk_appendf(trash, "\n%sFailed!\n", err);
1430 if (ci_putchk(si_ic(si), trash) == -1)
1431 si_rx_room_blk(si);
1432 free_trash_chunk(trash);
1433 }
1434 /* error: call the release function and don't come back */
1435 return 1;
1436}
1437
1438/*
1439 * Parsing function of 'commit ssl cert'
1440 */
1441static int cli_parse_commit_cert(char **args, char *payload, struct appctx *appctx, void *private)
1442{
1443 char *err = NULL;
1444
1445 if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
1446 return 1;
1447
1448 if (!*args[3])
1449 return cli_err(appctx, "'commit ssl cert expects a filename\n");
1450
1451 /* The operations on the CKCH architecture are locked so we can
1452 * manipulate ckch_store and ckch_inst */
1453 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
1454 return cli_err(appctx, "Can't commit the certificate!\nOperations on certificates are currently locked!\n");
1455
1456 if (!ckchs_transaction.path) {
1457 memprintf(&err, "No ongoing transaction! !\n");
1458 goto error;
1459 }
1460
1461 if (strcmp(ckchs_transaction.path, args[3]) != 0) {
1462 memprintf(&err, "The ongoing transaction is about '%s' but you are trying to set '%s'\n", ckchs_transaction.path, args[3]);
1463 goto error;
1464 }
1465
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1466 /* if a certificate is here, a private key must be here too */
1467 if (ckchs_transaction.new_ckchs->ckch->cert && !ckchs_transaction.new_ckchs->ckch->key) {
1468 memprintf(&err, "The transaction must contain at least a certificate and a private key!\n");
1469 goto error;
1470 }
William Lallemanda9419522020-06-24 16:26:41 +0200[diff] [blame]1471
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1472 if (!X509_check_private_key(ckchs_transaction.new_ckchs->ckch->cert, ckchs_transaction.new_ckchs->ckch->key)) {
1473 memprintf(&err, "inconsistencies between private key and certificate loaded '%s'.\n", ckchs_transaction.path);
1474 goto error;
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1475 }
1476
1477 /* init the appctx structure */
1478 appctx->st2 = SETCERT_ST_INIT;
1479 appctx->ctx.ssl.next_ckchi = NULL;
1480 appctx->ctx.ssl.new_ckchs = ckchs_transaction.new_ckchs;
1481 appctx->ctx.ssl.old_ckchs = ckchs_transaction.old_ckchs;
1482
1483 /* we don't unlock there, it will be unlock after the IO handler, in the release handler */
1484 return 0;
1485
1486error:
1487
1488 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
1489 err = memprintf(&err, "%sCan't commit %s!\n", err ? err : "", args[3]);
1490
1491 return cli_dynerr(appctx, err);
1492}
1493
1494
1495
1496
1497/*
1498 * Parsing function of `set ssl cert`, it updates or creates a temporary ckch.
1499 */
1500static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx, void *private)
1501{
1502 struct ckch_store *new_ckchs = NULL;
1503 struct ckch_store *old_ckchs = NULL;
1504 char *err = NULL;
1505 int i;
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1506 int errcode = 0;
1507 char *end;
1508 int type = CERT_TYPE_PEM;
1509 struct cert_key_and_chain *ckch;
1510 struct buffer *buf;
1511
1512 if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
1513 return 1;
1514
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1515 if (!*args[3] || !payload)
1516 return cli_err(appctx, "'set ssl cert expects a filename and a certificate as a payload\n");
1517
1518 /* The operations on the CKCH architecture are locked so we can
1519 * manipulate ckch_store and ckch_inst */
1520 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
1521 return cli_err(appctx, "Can't update the certificate!\nOperations on certificates are currently locked!\n");
1522
William Lallemande5ff4ad2020-06-08 09:40:37 +0200[diff] [blame]1523 if ((buf = alloc_trash_chunk()) == NULL)
1524 return cli_err(appctx, "Can't allocate memory\n");
1525
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1526 if (!chunk_strcpy(buf, args[3])) {
1527 memprintf(&err, "%sCan't allocate memory\n", err ? err : "");
1528 errcode |= ERR_ALERT | ERR_FATAL;
1529 goto end;
1530 }
1531
1532 /* check which type of file we want to update */
1533 for (i = 0; cert_exts[i].type < CERT_TYPE_MAX; i++) {
1534 end = strrchr(buf->area, '.');
1535 if (end && *cert_exts[i].ext && (!strcmp(end + 1, cert_exts[i].ext))) {
1536 *end = '\0';
William Lallemand089c1382020-10-23 17:35:12 +0200[diff] [blame^]1537 buf->data = strlen(buf->area);
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1538 type = cert_exts[i].type;
1539 break;
1540 }
1541 }
1542
1543 appctx->ctx.ssl.old_ckchs = NULL;
1544 appctx->ctx.ssl.new_ckchs = NULL;
1545
1546 /* if there is an ongoing transaction */
1547 if (ckchs_transaction.path) {
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1548 /* if there is an ongoing transaction, check if this is the same file */
1549 if (strcmp(ckchs_transaction.path, buf->area) != 0) {
William Lallemand089c1382020-10-23 17:35:12 +0200[diff] [blame^]1550 /* we didn't find the transaction, must try more cases below */
1551
1552 /* if the del-ext option is activated we should try to take a look at a ".crt" too. */
1553 if (type != CERT_TYPE_PEM && global_ssl.extra_files_noext) {
1554 if (!chunk_strcat(buf, ".crt")) {
1555 memprintf(&err, "%sCan't allocate memory\n", err ? err : "");
1556 errcode |= ERR_ALERT | ERR_FATAL;
1557 goto end;
1558 }
1559
1560 if (strcmp(ckchs_transaction.path, buf->area) != 0) {
1561 /* remove .crt of the error message */
1562 *(b_orig(buf) + b_data(buf) + strlen(".crt")) = '\0';
1563 b_sub(buf, strlen(".crt"));
1564
1565 memprintf(&err, "The ongoing transaction is about '%s' but you are trying to set '%s'\n", ckchs_transaction.path, buf->area);
1566 errcode |= ERR_ALERT | ERR_FATAL;
1567 goto end;
1568 }
1569 }
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1570 }
1571
1572 appctx->ctx.ssl.old_ckchs = ckchs_transaction.new_ckchs;
1573
1574 } else {
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1575
William Lallemand95fefa12020-09-09 12:01:33 +0200[diff] [blame]1576 /* lookup for the certificate in the tree */
1577 appctx->ctx.ssl.old_ckchs = ckchs_lookup(buf->area);
William Lallemand089c1382020-10-23 17:35:12 +0200[diff] [blame^]1578
1579 if (!appctx->ctx.ssl.old_ckchs) {
1580 /* if the del-ext option is activated we should try to take a look at a ".crt" too. */
1581 if (type != CERT_TYPE_PEM && global_ssl.extra_files_noext) {
1582 if (!chunk_strcat(buf, ".crt")) {
1583 memprintf(&err, "%sCan't allocate memory\n", err ? err : "");
1584 errcode |= ERR_ALERT | ERR_FATAL;
1585 goto end;
1586 }
1587 appctx->ctx.ssl.old_ckchs = ckchs_lookup(buf->area);
1588 }
1589 }
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1590 }
1591
1592 if (!appctx->ctx.ssl.old_ckchs) {
1593 memprintf(&err, "%sCan't replace a certificate which is not referenced by the configuration!\n",
1594 err ? err : "");
1595 errcode |= ERR_ALERT | ERR_FATAL;
1596 goto end;
1597 }
1598
1599 if (!appctx->ctx.ssl.path) {
1600 /* this is a new transaction, set the path of the transaction */
1601 appctx->ctx.ssl.path = strdup(appctx->ctx.ssl.old_ckchs->path);
1602 if (!appctx->ctx.ssl.path) {
1603 memprintf(&err, "%sCan't allocate memory\n", err ? err : "");
1604 errcode |= ERR_ALERT | ERR_FATAL;
1605 goto end;
1606 }
1607 }
1608
1609 old_ckchs = appctx->ctx.ssl.old_ckchs;
1610
1611 /* duplicate the ckch store */
1612 new_ckchs = ckchs_dup(old_ckchs);
1613 if (!new_ckchs) {
1614 memprintf(&err, "%sCannot allocate memory!\n",
1615 err ? err : "");
1616 errcode |= ERR_ALERT | ERR_FATAL;
1617 goto end;
1618 }
1619
William Lallemand95fefa12020-09-09 12:01:33 +0200[diff] [blame]1620 ckch = new_ckchs->ckch;
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1621
1622 /* appply the change on the duplicate */
1623 if (cert_exts[type].load(buf->area, payload, ckch, &err) != 0) {
1624 memprintf(&err, "%sCan't load the payload\n", err ? err : "");
1625 errcode |= ERR_ALERT | ERR_FATAL;
1626 goto end;
1627 }
1628
1629 appctx->ctx.ssl.new_ckchs = new_ckchs;
1630
1631 /* we succeed, we can save the ckchs in the transaction */
1632
1633 /* if there wasn't a transaction, update the old ckchs */
1634 if (!ckchs_transaction.old_ckchs) {
1635 ckchs_transaction.old_ckchs = appctx->ctx.ssl.old_ckchs;
1636 ckchs_transaction.path = appctx->ctx.ssl.path;
1637 err = memprintf(&err, "Transaction created for certificate %s!\n", ckchs_transaction.path);
1638 } else {
1639 err = memprintf(&err, "Transaction updated for certificate %s!\n", ckchs_transaction.path);
1640
1641 }
1642
1643 /* free the previous ckchs if there was a transaction */
1644 ckch_store_free(ckchs_transaction.new_ckchs);
1645
1646 ckchs_transaction.new_ckchs = appctx->ctx.ssl.new_ckchs;
1647
1648
1649 /* creates the SNI ctxs later in the IO handler */
1650
1651end:
1652 free_trash_chunk(buf);
1653
1654 if (errcode & ERR_CODE) {
1655
1656 ckch_store_free(appctx->ctx.ssl.new_ckchs);
1657 appctx->ctx.ssl.new_ckchs = NULL;
1658
1659 appctx->ctx.ssl.old_ckchs = NULL;
1660
1661 free(appctx->ctx.ssl.path);
1662 appctx->ctx.ssl.path = NULL;
1663
1664 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
1665 return cli_dynerr(appctx, memprintf(&err, "%sCan't update %s!\n", err ? err : "", args[3]));
1666 } else {
1667
1668 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
1669 return cli_dynmsg(appctx, LOG_NOTICE, err);
1670 }
1671 /* TODO: handle the ERR_WARN which are not handled because of the io_handler */
1672}
1673
1674/* parsing function of 'abort ssl cert' */
1675static int cli_parse_abort_cert(char **args, char *payload, struct appctx *appctx, void *private)
1676{
1677 char *err = NULL;
1678
1679 if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
1680 return 1;
1681
1682 if (!*args[3])
1683 return cli_err(appctx, "'abort ssl cert' expects a filename\n");
1684
1685 /* The operations on the CKCH architecture are locked so we can
1686 * manipulate ckch_store and ckch_inst */
1687 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
1688 return cli_err(appctx, "Can't abort!\nOperations on certificates are currently locked!\n");
1689
1690 if (!ckchs_transaction.path) {
1691 memprintf(&err, "No ongoing transaction!\n");
1692 goto error;
1693 }
1694
1695 if (strcmp(ckchs_transaction.path, args[3]) != 0) {
1696 memprintf(&err, "The ongoing transaction is about '%s' but you are trying to abort a transaction for '%s'\n", ckchs_transaction.path, args[3]);
1697 goto error;
1698 }
1699
1700 /* Only free the ckchs there, because the SNI and instances were not generated yet */
1701 ckch_store_free(ckchs_transaction.new_ckchs);
1702 ckchs_transaction.new_ckchs = NULL;
1703 ckch_store_free(ckchs_transaction.old_ckchs);
1704 ckchs_transaction.old_ckchs = NULL;
1705 free(ckchs_transaction.path);
1706 ckchs_transaction.path = NULL;
1707
1708 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
1709
1710 err = memprintf(&err, "Transaction aborted for certificate '%s'!\n", args[3]);
1711 return cli_dynmsg(appctx, LOG_NOTICE, err);
1712
1713error:
1714 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
1715
1716 return cli_dynerr(appctx, err);
1717}
1718
1719/* parsing function of 'new ssl cert' */
1720static int cli_parse_new_cert(char **args, char *payload, struct appctx *appctx, void *private)
1721{
1722 struct ckch_store *store;
1723 char *err = NULL;
1724 char *path;
1725
1726 if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
1727 return 1;
1728
1729 if (!*args[3])
1730 return cli_err(appctx, "'new ssl cert' expects a filename\n");
1731
1732 path = args[3];
1733
1734 /* The operations on the CKCH architecture are locked so we can
1735 * manipulate ckch_store and ckch_inst */
1736 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
1737 return cli_err(appctx, "Can't create a certificate!\nOperations on certificates are currently locked!\n");
1738
1739 store = ckchs_lookup(path);
1740 if (store != NULL) {
1741 memprintf(&err, "Certificate '%s' already exists!\n", path);
1742 store = NULL; /* we don't want to free it */
1743 goto error;
1744 }
1745 /* we won't support multi-certificate bundle here */
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200[diff] [blame]1746 store = ckch_store_new(path);
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1747 if (!store) {
1748 memprintf(&err, "unable to allocate memory.\n");
1749 goto error;
1750 }
1751
1752 /* insert into the ckchs tree */
1753 ebst_insert(&ckchs_tree, &store->node);
1754 memprintf(&err, "New empty certificate store '%s'!\n", args[3]);
1755
1756 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
1757 return cli_dynmsg(appctx, LOG_NOTICE, err);
1758error:
1759 free(store);
1760 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
1761 return cli_dynerr(appctx, err);
1762}
1763
1764/* parsing function of 'del ssl cert' */
1765static int cli_parse_del_cert(char **args, char *payload, struct appctx *appctx, void *private)
1766{
1767 struct ckch_store *store;
1768 char *err = NULL;
1769 char *filename;
1770
1771 if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
1772 return 1;
1773
1774 if (!*args[3])
1775 return cli_err(appctx, "'del ssl cert' expects a certificate name\n");
1776
1777 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
1778 return cli_err(appctx, "Can't delete the certificate!\nOperations on certificates are currently locked!\n");
1779
1780 filename = args[3];
1781
1782 store = ckchs_lookup(filename);
1783 if (store == NULL) {
1784 memprintf(&err, "certificate '%s' doesn't exist!\n", filename);
1785 goto error;
1786 }
1787 if (!LIST_ISEMPTY(&store->ckch_inst)) {
1788 memprintf(&err, "certificate '%s' in use, can't be deleted!\n", filename);
1789 goto error;
1790 }
1791
1792 ebmb_delete(&store->node);
1793 ckch_store_free(store);
1794
1795 memprintf(&err, "Certificate '%s' deleted!\n", filename);
1796
1797 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
1798 return cli_dynmsg(appctx, LOG_NOTICE, err);
1799
1800error:
1801 memprintf(&err, "Can't remove the certificate: %s\n", err ? err : "");
1802 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
1803 return cli_dynerr(appctx, err);
1804}
1805
William Lallemandee8530c2020-06-23 18:19:42 +0200[diff] [blame]1806void ckch_deinit()
1807{
1808 struct eb_node *node, *next;
1809 struct ckch_store *store;
1810
1811 node = eb_first(&ckchs_tree);
1812 while (node) {
1813 next = eb_next(node);
1814 store = ebmb_entry(node, struct ckch_store, node);
1815 ckch_store_free(store);
1816 node = next;
1817 }
1818}
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1819
1820/* register cli keywords */
1821static struct cli_kw_list cli_kws = {{ },{
1822 { { "new", "ssl", "cert", NULL }, "new ssl cert <certfile> : create a new certificate file to be used in a crt-list or a directory", cli_parse_new_cert, NULL, NULL },
1823 { { "set", "ssl", "cert", NULL }, "set ssl cert <certfile> <payload> : replace a certificate file", cli_parse_set_cert, NULL, NULL },
1824 { { "commit", "ssl", "cert", NULL }, "commit ssl cert <certfile> : commit a certificate file", cli_parse_commit_cert, cli_io_handler_commit_cert, cli_release_commit_cert },
1825 { { "abort", "ssl", "cert", NULL }, "abort ssl cert <certfile> : abort a transaction for a certificate file", cli_parse_abort_cert, NULL, NULL },
1826 { { "del", "ssl", "cert", NULL }, "del ssl cert <certfile> : delete an unused certificate file", cli_parse_del_cert, NULL, NULL },
1827 { { "show", "ssl", "cert", NULL }, "show ssl cert [<certfile>] : display the SSL certificates used in memory, or the details of a <certfile>", cli_parse_show_cert, cli_io_handler_show_cert, cli_release_show_cert },
1828 { { NULL }, NULL, NULL, NULL }
1829}};
1830
1831INITCALL1(STG_REGISTER, cli_register_kw, &cli_kws);
1832