Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / d817dc733eacfd7cf5bb0bbc6128f44644db078e / . / src / ssl_ckch.c
blob: 1a09e8db89df7a3a567b178c99a314926348b019 [file] [log] [blame]
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]1/*
2 *
3 * Copyright (C) 2020 HAProxy Technologies, William Lallemand <wlallemand@haproxy.com>
4 *
5 * This program is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU General Public License
7 * as published by the Free Software Foundation; either version
8 * 2 of the License, or (at your option) any later version.
9 *
10 */
11
12#define _GNU_SOURCE
13#include <ctype.h>
14#include <errno.h>
15#include <fcntl.h>
16#include <stdio.h>
17#include <stdlib.h>
18#include <string.h>
Willy Tarreauaeed4a82020-06-04 22:01:04 +0200[diff] [blame]19#include <syslog.h>
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]20#include <unistd.h>
21
22#include <sys/stat.h>
23#include <sys/types.h>
24
Willy Tarreaub2551052020-06-09 09:07:15 +0200[diff] [blame]25#include <import/ebsttree.h>
26
Willy Tarreau8d366972020-05-27 16:10:29 +0200[diff] [blame]27#include <haproxy/base64.h>
Willy Tarreauf1d32c42020-06-04 21:07:02 +0200[diff] [blame]28#include <haproxy/channel.h>
Willy Tarreau83487a82020-06-04 20:19:54 +0200[diff] [blame]29#include <haproxy/cli.h>
Willy Tarreau8d366972020-05-27 16:10:29 +0200[diff] [blame]30#include <haproxy/errors.h>
Willy Tarreau47d7f902020-06-04 14:25:47 +0200[diff] [blame]31#include <haproxy/ssl_ckch.h>
Willy Tarreau209108d2020-06-04 20:30:20 +0200[diff] [blame]32#include <haproxy/ssl_sock.h>
Willy Tarreaub2bd8652020-06-04 14:21:22 +0200[diff] [blame]33#include <haproxy/ssl_utils.h>
Willy Tarreau5e539c92020-06-04 20:45:39 +0200[diff] [blame]34#include <haproxy/stream_interface.h>
Willy Tarreau48fbcae2020-06-03 18:09:46 +0200[diff] [blame]35#include <haproxy/tools.h>
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]36
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]37/* Uncommitted CKCH transaction */
38
39static struct {
40 struct ckch_store *new_ckchs;
41 struct ckch_store *old_ckchs;
42 char *path;
43} ckchs_transaction;
44
45
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]46
47/******************** cert_key_and_chain functions *************************
48 * These are the functions that fills a cert_key_and_chain structure. For the
49 * functions filling a SSL_CTX from a cert_key_and_chain, see ssl_sock.c
50 */
51
52/*
53 * Try to parse Signed Certificate Timestamp List structure. This function
54 * makes only basic test if the data seems like SCTL. No signature validation
55 * is performed.
56 */
57static int ssl_sock_parse_sctl(struct buffer *sctl)
58{
59 int ret = 1;
60 int len, pos, sct_len;
61 unsigned char *data;
62
63 if (sctl->data < 2)
64 goto out;
65
66 data = (unsigned char *) sctl->area;
67 len = (data[0] << 8) | data[1];
68
69 if (len + 2 != sctl->data)
70 goto out;
71
72 data = data + 2;
73 pos = 0;
74 while (pos < len) {
75 if (len - pos < 2)
76 goto out;
77
78 sct_len = (data[pos] << 8) | data[pos + 1];
79 if (pos + sct_len + 2 > len)
80 goto out;
81
82 pos += sct_len + 2;
83 }
84
85 ret = 0;
86
87out:
88 return ret;
89}
90
91/* Try to load a sctl from a buffer <buf> if not NULL, or read the file <sctl_path>
92 * It fills the ckch->sctl buffer
93 * return 0 on success or != 0 on failure */
94int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct cert_key_and_chain *ckch, char **err)
95{
96 int fd = -1;
97 int r = 0;
98 int ret = 1;
99 struct buffer tmp;
100 struct buffer *src;
101 struct buffer *sctl;
102
103 if (buf) {
104 tmp.area = buf;
105 tmp.data = strlen(buf);
106 tmp.size = tmp.data + 1;
107 src = &tmp;
108 } else {
109 fd = open(sctl_path, O_RDONLY);
110 if (fd == -1)
111 goto end;
112
113 trash.data = 0;
114 while (trash.data < trash.size) {
115 r = read(fd, trash.area + trash.data, trash.size - trash.data);
116 if (r < 0) {
117 if (errno == EINTR)
118 continue;
119 goto end;
120 }
121 else if (r == 0) {
122 break;
123 }
124 trash.data += r;
125 }
126 src = &trash;
127 }
128
129 ret = ssl_sock_parse_sctl(src);
130 if (ret)
131 goto end;
132
133 sctl = calloc(1, sizeof(*sctl));
134 if (!chunk_dup(sctl, src)) {
135 free(sctl);
136 sctl = NULL;
137 goto end;
138 }
139 /* no error, fill ckch with new context, old context must be free */
140 if (ckch->sctl) {
141 free(ckch->sctl->area);
142 ckch->sctl->area = NULL;
143 free(ckch->sctl);
144 }
145 ckch->sctl = sctl;
146 ret = 0;
147end:
148 if (fd != -1)
149 close(fd);
150
151 return ret;
152}
153
154#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
155/*
Ilya Shipitsin46a030c2020-07-05 16:36:08 +0500[diff] [blame]156 * This function load the OCSP Response in DER format contained in file at
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]157 * path 'ocsp_path' or base64 in a buffer <buf>
158 *
159 * Returns 0 on success, 1 in error case.
160 */
161int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *buf, struct cert_key_and_chain *ckch, char **err)
162{
163 int fd = -1;
164 int r = 0;
165 int ret = 1;
166 struct buffer *ocsp_response;
167 struct buffer *src = NULL;
168
169 if (buf) {
170 int i, j;
171 /* if it's from a buffer it will be base64 */
172
173 /* remove \r and \n from the payload */
174 for (i = 0, j = 0; buf[i]; i++) {
175 if (buf[i] == '\r' || buf[i] == '\n')
176 continue;
177 buf[j++] = buf[i];
178 }
179 buf[j] = 0;
180
181 ret = base64dec(buf, j, trash.area, trash.size);
182 if (ret < 0) {
183 memprintf(err, "Error reading OCSP response in base64 format");
184 goto end;
185 }
186 trash.data = ret;
187 src = &trash;
188 } else {
189 fd = open(ocsp_path, O_RDONLY);
190 if (fd == -1) {
191 memprintf(err, "Error opening OCSP response file");
192 goto end;
193 }
194
195 trash.data = 0;
196 while (trash.data < trash.size) {
197 r = read(fd, trash.area + trash.data, trash.size - trash.data);
198 if (r < 0) {
199 if (errno == EINTR)
200 continue;
201
202 memprintf(err, "Error reading OCSP response from file");
203 goto end;
204 }
205 else if (r == 0) {
206 break;
207 }
208 trash.data += r;
209 }
210 close(fd);
211 fd = -1;
212 src = &trash;
213 }
214
215 ocsp_response = calloc(1, sizeof(*ocsp_response));
216 if (!chunk_dup(ocsp_response, src)) {
217 free(ocsp_response);
218 ocsp_response = NULL;
219 goto end;
220 }
221 /* no error, fill ckch with new context, old context must be free */
222 if (ckch->ocsp_response) {
223 free(ckch->ocsp_response->area);
224 ckch->ocsp_response->area = NULL;
225 free(ckch->ocsp_response);
226 }
227 ckch->ocsp_response = ocsp_response;
228 ret = 0;
229end:
230 if (fd != -1)
231 close(fd);
232
233 return ret;
234}
235#endif
236
237/*
238 * Try to load in a ckch every files related to a ckch.
239 * (PEM, sctl, ocsp, issuer etc.)
240 *
241 * This function is only used to load files during the configuration parsing,
242 * it is not used with the CLI.
243 *
244 * This allows us to carry the contents of the file without having to read the
245 * file multiple times. The caller must call
246 * ssl_sock_free_cert_key_and_chain_contents.
247 *
248 * returns:
249 * 0 on Success
250 * 1 on SSL Failure
251 */
252int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *ckch, char **err)
253{
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]254 struct buffer *fp = NULL;
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]255 int ret = 1;
256
257 /* try to load the PEM */
258 if (ssl_sock_load_pem_into_ckch(path, NULL, ckch , err) != 0) {
259 goto end;
260 }
261
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]262 fp = alloc_trash_chunk();
263 if (!fp) {
264 memprintf(err, "%sCan't allocate memory\n", err && *err ? *err : "");
265 goto end;
266 }
267
268 if (!chunk_strcpy(fp, path) || (b_data(fp) > MAXPATHLEN)) {
269 memprintf(err, "%s '%s' filename too long'.\n",
270 err && *err ? *err : "", fp->area);
271 ret = 1;
272 goto end;
273 }
274
William Lallemand089c1382020-10-23 17:35:12 +0200[diff] [blame]275 /* remove the ".crt" extension */
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]276 if (global_ssl.extra_files_noext) {
277 char *ext;
278
279 /* look for the extension */
280 if ((ext = strrchr(fp->area, '.'))) {
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]281
Tim Duesterhuse5ff1412021-01-02 22:31:53 +0100[diff] [blame]282 if (strcmp(ext, ".crt") == 0) {
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]283 *ext = '\0';
William Lallemand089c1382020-10-23 17:35:12 +0200[diff] [blame]284 fp->data = strlen(fp->area);
285 }
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]286 }
287
288 }
289
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]290 /* try to load an external private key if it wasn't in the PEM */
291 if ((ckch->key == NULL) && (global_ssl.extra_files & SSL_GF_KEY)) {
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]292 struct stat st;
293
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]294
295 if (!chunk_strcat(fp, ".key") || (b_data(fp) > MAXPATHLEN)) {
296 memprintf(err, "%s '%s' filename too long'.\n",
297 err && *err ? *err : "", fp->area);
298 ret = 1;
299 goto end;
300 }
301
302 if (stat(fp->area, &st) == 0) {
303 if (ssl_sock_load_key_into_ckch(fp->area, NULL, ckch, err)) {
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]304 memprintf(err, "%s '%s' is present but cannot be read or parsed'.\n",
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]305 err && *err ? *err : "", fp->area);
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]306 goto end;
307 }
308 }
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]309
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]310 if (ckch->key == NULL) {
311 memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area);
312 goto end;
313 }
314 /* remove the added extension */
315 *(fp->area + fp->data - strlen(".key")) = '\0';
316 b_sub(fp, strlen(".key"));
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]317 }
318
319 if (!X509_check_private_key(ckch->cert, ckch->key)) {
320 memprintf(err, "%sinconsistencies between private key and certificate loaded '%s'.\n",
321 err && *err ? *err : "", path);
322 goto end;
323 }
324
325#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
326 /* try to load the sctl file */
327 if (global_ssl.extra_files & SSL_GF_SCTL) {
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]328 struct stat st;
329
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]330 if (!chunk_strcat(fp, ".sctl") || b_data(fp) > MAXPATHLEN) {
331 memprintf(err, "%s '%s' filename too long'.\n",
332 err && *err ? *err : "", fp->area);
333 ret = 1;
334 goto end;
335 }
336
337 if (stat(fp->area, &st) == 0) {
338 if (ssl_sock_load_sctl_from_file(fp->area, NULL, ckch, err)) {
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]339 memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n",
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]340 err && *err ? *err : "", fp->area);
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]341 ret = 1;
342 goto end;
343 }
344 }
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]345 /* remove the added extension */
346 *(fp->area + fp->data - strlen(".sctl")) = '\0';
347 b_sub(fp, strlen(".sctl"));
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]348 }
349#endif
350
351 /* try to load an ocsp response file */
352 if (global_ssl.extra_files & SSL_GF_OCSP) {
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]353 struct stat st;
354
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]355 if (!chunk_strcat(fp, ".ocsp") || b_data(fp) > MAXPATHLEN) {
356 memprintf(err, "%s '%s' filename too long'.\n",
357 err && *err ? *err : "", fp->area);
358 ret = 1;
359 goto end;
360 }
361
362 if (stat(fp->area, &st) == 0) {
363 if (ssl_sock_load_ocsp_response_from_file(fp->area, NULL, ckch, err)) {
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]364 ret = 1;
365 goto end;
366 }
367 }
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]368 /* remove the added extension */
369 *(fp->area + fp->data - strlen(".ocsp")) = '\0';
370 b_sub(fp, strlen(".ocsp"));
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]371 }
372
373#ifndef OPENSSL_IS_BORINGSSL /* Useless for BoringSSL */
374 if (ckch->ocsp_response && (global_ssl.extra_files & SSL_GF_OCSP_ISSUER)) {
375 /* if no issuer was found, try to load an issuer from the .issuer */
376 if (!ckch->ocsp_issuer) {
377 struct stat st;
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]378
379 if (!chunk_strcat(fp, ".issuer") || b_data(fp) > MAXPATHLEN) {
380 memprintf(err, "%s '%s' filename too long'.\n",
381 err && *err ? *err : "", fp->area);
382 ret = 1;
383 goto end;
384 }
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]385
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]386 if (stat(fp->area, &st) == 0) {
387 if (ssl_sock_load_issuer_file_into_ckch(fp->area, NULL, ckch, err)) {
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]388 ret = 1;
389 goto end;
390 }
391
392 if (X509_check_issued(ckch->ocsp_issuer, ckch->cert) != X509_V_OK) {
393 memprintf(err, "%s '%s' is not an issuer'.\n",
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]394 err && *err ? *err : "", fp->area);
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]395 ret = 1;
396 goto end;
397 }
398 }
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]399 /* remove the added extension */
400 *(fp->area + fp->data - strlen(".issuer")) = '\0';
401 b_sub(fp, strlen(".issuer"));
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]402 }
403 }
404#endif
405
406 ret = 0;
407
408end:
409
410 ERR_clear_error();
411
412 /* Something went wrong in one of the reads */
413 if (ret != 0)
414 ssl_sock_free_cert_key_and_chain_contents(ckch);
415
William Lallemand8e8581e2020-10-20 17:36:46 +0200[diff] [blame]416 free_trash_chunk(fp);
417
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]418 return ret;
419}
420
421/*
422 * Try to load a private key file from a <path> or a buffer <buf>
423 *
424 * If it failed you should not attempt to use the ckch but free it.
425 *
426 * Return 0 on success or != 0 on failure
427 */
428int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch , char **err)
429{
430 BIO *in = NULL;
431 int ret = 1;
432 EVP_PKEY *key = NULL;
433
434 if (buf) {
435 /* reading from a buffer */
436 in = BIO_new_mem_buf(buf, -1);
437 if (in == NULL) {
438 memprintf(err, "%sCan't allocate memory\n", err && *err ? *err : "");
439 goto end;
440 }
441
442 } else {
443 /* reading from a file */
444 in = BIO_new(BIO_s_file());
445 if (in == NULL)
446 goto end;
447
448 if (BIO_read_filename(in, path) <= 0)
449 goto end;
450 }
451
452 /* Read Private Key */
453 key = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
454 if (key == NULL) {
455 memprintf(err, "%sunable to load private key from file '%s'.\n",
456 err && *err ? *err : "", path);
457 goto end;
458 }
459
460 ret = 0;
461
462 SWAP(ckch->key, key);
463
464end:
465
466 ERR_clear_error();
467 if (in)
468 BIO_free(in);
469 if (key)
470 EVP_PKEY_free(key);
471
472 return ret;
473}
474
475/*
476 * Try to load a PEM file from a <path> or a buffer <buf>
477 * The PEM must contain at least a Certificate,
478 * It could contain a DH, a certificate chain and a PrivateKey.
479 *
480 * If it failed you should not attempt to use the ckch but free it.
481 *
482 * Return 0 on success or != 0 on failure
483 */
484int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch , char **err)
485{
486 BIO *in = NULL;
487 int ret = 1;
488 X509 *ca;
489 X509 *cert = NULL;
490 EVP_PKEY *key = NULL;
491 DH *dh = NULL;
492 STACK_OF(X509) *chain = NULL;
493
494 if (buf) {
495 /* reading from a buffer */
496 in = BIO_new_mem_buf(buf, -1);
497 if (in == NULL) {
498 memprintf(err, "%sCan't allocate memory\n", err && *err ? *err : "");
499 goto end;
500 }
501
502 } else {
503 /* reading from a file */
504 in = BIO_new(BIO_s_file());
505 if (in == NULL) {
506 memprintf(err, "%sCan't allocate memory\n", err && *err ? *err : "");
507 goto end;
508 }
509
510 if (BIO_read_filename(in, path) <= 0) {
511 memprintf(err, "%scannot open the file '%s'.\n",
512 err && *err ? *err : "", path);
513 goto end;
514 }
515 }
516
517 /* Read Private Key */
518 key = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
519 /* no need to check for errors here, because the private key could be loaded later */
520
521#ifndef OPENSSL_NO_DH
522 /* Seek back to beginning of file */
523 if (BIO_reset(in) == -1) {
524 memprintf(err, "%san error occurred while reading the file '%s'.\n",
525 err && *err ? *err : "", path);
526 goto end;
527 }
528
529 dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
530 /* no need to return an error there, dh is not mandatory */
531#endif
532
533 /* Seek back to beginning of file */
534 if (BIO_reset(in) == -1) {
535 memprintf(err, "%san error occurred while reading the file '%s'.\n",
536 err && *err ? *err : "", path);
537 goto end;
538 }
539
540 /* Read Certificate */
541 cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
542 if (cert == NULL) {
543 memprintf(err, "%sunable to load certificate from file '%s'.\n",
544 err && *err ? *err : "", path);
545 goto end;
546 }
547
548 /* Look for a Certificate Chain */
549 while ((ca = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
550 if (chain == NULL)
551 chain = sk_X509_new_null();
552 if (!sk_X509_push(chain, ca)) {
553 X509_free(ca);
554 goto end;
555 }
556 }
557
558 ret = ERR_get_error();
559 if (ret && (ERR_GET_LIB(ret) != ERR_LIB_PEM && ERR_GET_REASON(ret) != PEM_R_NO_START_LINE)) {
560 memprintf(err, "%sunable to load certificate chain from file '%s'.\n",
561 err && *err ? *err : "", path);
562 goto end;
563 }
564
565 /* once it loaded the PEM, it should remove everything else in the ckch */
566 if (ckch->ocsp_response) {
567 free(ckch->ocsp_response->area);
568 ckch->ocsp_response->area = NULL;
569 free(ckch->ocsp_response);
570 ckch->ocsp_response = NULL;
571 }
572
573 if (ckch->sctl) {
574 free(ckch->sctl->area);
575 ckch->sctl->area = NULL;
576 free(ckch->sctl);
577 ckch->sctl = NULL;
578 }
579
580 if (ckch->ocsp_issuer) {
581 X509_free(ckch->ocsp_issuer);
582 ckch->ocsp_issuer = NULL;
583 }
584
585 /* no error, fill ckch with new context, old context will be free at end: */
586 SWAP(ckch->key, key);
587 SWAP(ckch->dh, dh);
588 SWAP(ckch->cert, cert);
589 SWAP(ckch->chain, chain);
590
591 ret = 0;
592
593end:
594
595 ERR_clear_error();
596 if (in)
597 BIO_free(in);
598 if (key)
599 EVP_PKEY_free(key);
600 if (dh)
601 DH_free(dh);
602 if (cert)
603 X509_free(cert);
604 if (chain)
605 sk_X509_pop_free(chain, X509_free);
606
607 return ret;
608}
609
610/* Frees the contents of a cert_key_and_chain
611 */
612void ssl_sock_free_cert_key_and_chain_contents(struct cert_key_and_chain *ckch)
613{
614 if (!ckch)
615 return;
616
617 /* Free the certificate and set pointer to NULL */
618 if (ckch->cert)
619 X509_free(ckch->cert);
620 ckch->cert = NULL;
621
622 /* Free the key and set pointer to NULL */
623 if (ckch->key)
624 EVP_PKEY_free(ckch->key);
625 ckch->key = NULL;
626
627 /* Free each certificate in the chain */
628 if (ckch->chain)
629 sk_X509_pop_free(ckch->chain, X509_free);
630 ckch->chain = NULL;
631
632 if (ckch->dh)
633 DH_free(ckch->dh);
634 ckch->dh = NULL;
635
636 if (ckch->sctl) {
637 free(ckch->sctl->area);
638 ckch->sctl->area = NULL;
639 free(ckch->sctl);
640 ckch->sctl = NULL;
641 }
642
643 if (ckch->ocsp_response) {
644 free(ckch->ocsp_response->area);
645 ckch->ocsp_response->area = NULL;
646 free(ckch->ocsp_response);
647 ckch->ocsp_response = NULL;
648 }
649
650 if (ckch->ocsp_issuer)
651 X509_free(ckch->ocsp_issuer);
652 ckch->ocsp_issuer = NULL;
653}
654
655/*
656 *
657 * This function copy a cert_key_and_chain in memory
658 *
659 * It's used to try to apply changes on a ckch before committing them, because
660 * most of the time it's not possible to revert those changes
661 *
662 * Return a the dst or NULL
663 */
664struct cert_key_and_chain *ssl_sock_copy_cert_key_and_chain(struct cert_key_and_chain *src,
665 struct cert_key_and_chain *dst)
666{
667 if (src->cert) {
668 dst->cert = src->cert;
669 X509_up_ref(src->cert);
670 }
671
672 if (src->key) {
673 dst->key = src->key;
674 EVP_PKEY_up_ref(src->key);
675 }
676
677 if (src->chain) {
678 dst->chain = X509_chain_up_ref(src->chain);
679 }
680
681 if (src->dh) {
682 DH_up_ref(src->dh);
683 dst->dh = src->dh;
684 }
685
686 if (src->sctl) {
687 struct buffer *sctl;
688
689 sctl = calloc(1, sizeof(*sctl));
690 if (!chunk_dup(sctl, src->sctl)) {
691 free(sctl);
692 sctl = NULL;
693 goto error;
694 }
695 dst->sctl = sctl;
696 }
697
698 if (src->ocsp_response) {
699 struct buffer *ocsp_response;
700
701 ocsp_response = calloc(1, sizeof(*ocsp_response));
702 if (!chunk_dup(ocsp_response, src->ocsp_response)) {
703 free(ocsp_response);
704 ocsp_response = NULL;
705 goto error;
706 }
707 dst->ocsp_response = ocsp_response;
708 }
709
710 if (src->ocsp_issuer) {
711 X509_up_ref(src->ocsp_issuer);
712 dst->ocsp_issuer = src->ocsp_issuer;
713 }
714
715 return dst;
716
717error:
718
719 /* free everything */
720 ssl_sock_free_cert_key_and_chain_contents(dst);
721
722 return NULL;
723}
724
725/*
726 * return 0 on success or != 0 on failure
727 */
728int ssl_sock_load_issuer_file_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch, char **err)
729{
730 int ret = 1;
731 BIO *in = NULL;
732 X509 *issuer;
733
734 if (buf) {
735 /* reading from a buffer */
736 in = BIO_new_mem_buf(buf, -1);
737 if (in == NULL) {
738 memprintf(err, "%sCan't allocate memory\n", err && *err ? *err : "");
739 goto end;
740 }
741
742 } else {
743 /* reading from a file */
744 in = BIO_new(BIO_s_file());
745 if (in == NULL)
746 goto end;
747
748 if (BIO_read_filename(in, path) <= 0)
749 goto end;
750 }
751
752 issuer = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
753 if (!issuer) {
754 memprintf(err, "%s'%s' cannot be read or parsed'.\n",
755 err && *err ? *err : "", path);
756 goto end;
757 }
758 /* no error, fill ckch with new context, old context must be free */
759 if (ckch->ocsp_issuer)
760 X509_free(ckch->ocsp_issuer);
761 ckch->ocsp_issuer = issuer;
762 ret = 0;
763
764end:
765
766 ERR_clear_error();
767 if (in)
768 BIO_free(in);
769
770 return ret;
771}
772
773/******************** ckch_store functions ***********************************
774 * The ckch_store is a structure used to cache and index the SSL files used in
775 * configuration
776 */
777
778/*
779 * Free a ckch_store, its ckch, its instances and remove it from the ebtree
780 */
781void ckch_store_free(struct ckch_store *store)
782{
783 struct ckch_inst *inst, *inst_s;
784
785 if (!store)
786 return;
787
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200[diff] [blame]788 ssl_sock_free_cert_key_and_chain_contents(store->ckch);
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]789
790 free(store->ckch);
791 store->ckch = NULL;
792
793 list_for_each_entry_safe(inst, inst_s, &store->ckch_inst, by_ckchs) {
794 ckch_inst_free(inst);
795 }
796 ebmb_delete(&store->node);
797 free(store);
798}
799
800/*
801 * create and initialize a ckch_store
802 * <path> is the key name
803 * <nmemb> is the number of store->ckch objects to allocate
804 *
805 * Return a ckch_store or NULL upon failure.
806 */
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200[diff] [blame]807struct ckch_store *ckch_store_new(const char *filename)
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]808{
809 struct ckch_store *store;
810 int pathlen;
811
812 pathlen = strlen(filename);
813 store = calloc(1, sizeof(*store) + pathlen + 1);
814 if (!store)
815 return NULL;
816
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]817 memcpy(store->path, filename, pathlen + 1);
818
819 LIST_INIT(&store->ckch_inst);
820 LIST_INIT(&store->crtlist_entry);
821
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200[diff] [blame]822 store->ckch = calloc(1, sizeof(*store->ckch));
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]823 if (!store->ckch)
824 goto error;
825
826 return store;
827error:
828 ckch_store_free(store);
829 return NULL;
830}
831
832/* allocate and duplicate a ckch_store
833 * Return a new ckch_store or NULL */
834struct ckch_store *ckchs_dup(const struct ckch_store *src)
835{
836 struct ckch_store *dst;
837
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200[diff] [blame]838 dst = ckch_store_new(src->path);
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]839
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200[diff] [blame]840 if (!ssl_sock_copy_cert_key_and_chain(src->ckch, dst->ckch))
841 goto error;
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]842
843 return dst;
844
845error:
846 ckch_store_free(dst);
847
848 return NULL;
849}
850
851/*
852 * lookup a path into the ckchs tree.
853 */
854struct ckch_store *ckchs_lookup(char *path)
855{
856 struct ebmb_node *eb;
857
858 eb = ebst_lookup(&ckchs_tree, path);
859 if (!eb)
860 return NULL;
861
862 return ebmb_entry(eb, struct ckch_store, node);
863}
864
865/*
866 * This function allocate a ckch_store and populate it with certificates from files.
867 */
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200[diff] [blame]868struct ckch_store *ckchs_load_cert_file(char *path, char **err)
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]869{
870 struct ckch_store *ckchs;
871
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200[diff] [blame]872 ckchs = ckch_store_new(path);
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]873 if (!ckchs) {
874 memprintf(err, "%sunable to allocate memory.\n", err && *err ? *err : "");
875 goto end;
876 }
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]877
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200[diff] [blame]878 if (ssl_sock_load_files_into_ckch(path, ckchs->ckch, err) == 1)
879 goto end;
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]880
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200[diff] [blame]881 /* insert into the ckchs tree */
882 memcpy(ckchs->path, path, strlen(path) + 1);
883 ebst_insert(&ckchs_tree, &ckchs->node);
William Lallemand03c331c2020-05-13 10:10:01 +0200[diff] [blame]884 return ckchs;
885
886end:
887 ckch_store_free(ckchs);
888
889 return NULL;
890}
891
William Lallemandfa1d8b42020-05-13 15:46:10 +0200[diff] [blame]892
893/******************** ckch_inst functions ******************************/
894
895/* unlink a ckch_inst, free all SNIs, free the ckch_inst */
896/* The caller must use the lock of the bind_conf if used with inserted SNIs */
897void ckch_inst_free(struct ckch_inst *inst)
898{
899 struct sni_ctx *sni, *sni_s;
900
901 if (inst == NULL)
902 return;
903
904 list_for_each_entry_safe(sni, sni_s, &inst->sni_ctx, by_ckch_inst) {
905 SSL_CTX_free(sni->ctx);
906 LIST_DEL(&sni->by_ckch_inst);
907 ebmb_delete(&sni->name);
908 free(sni);
909 }
910 LIST_DEL(&inst->by_ckchs);
911 LIST_DEL(&inst->by_crtlist_entry);
912 free(inst);
913}
914
915/* Alloc and init a ckch_inst */
916struct ckch_inst *ckch_inst_new()
917{
918 struct ckch_inst *ckch_inst;
919
920 ckch_inst = calloc(1, sizeof *ckch_inst);
921 if (!ckch_inst)
922 return NULL;
923
924 LIST_INIT(&ckch_inst->sni_ctx);
925 LIST_INIT(&ckch_inst->by_ckchs);
926 LIST_INIT(&ckch_inst->by_crtlist_entry);
927
928 return ckch_inst;
929}
930
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]931/*************************** CLI commands ***********************/
932
933/* Type of SSL payloads that can be updated over the CLI */
934
935enum {
936 CERT_TYPE_PEM = 0,
937 CERT_TYPE_KEY,
938#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
939 CERT_TYPE_OCSP,
940#endif
941 CERT_TYPE_ISSUER,
942#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
943 CERT_TYPE_SCTL,
944#endif
945 CERT_TYPE_MAX,
946};
947
948struct {
949 const char *ext;
950 int type;
951 int (*load)(const char *path, char *payload, struct cert_key_and_chain *ckch, char **err);
952 /* add a parsing callback */
953} cert_exts[CERT_TYPE_MAX+1] = {
954 [CERT_TYPE_PEM] = { "", CERT_TYPE_PEM, &ssl_sock_load_pem_into_ckch }, /* default mode, no extensions */
955 [CERT_TYPE_KEY] = { "key", CERT_TYPE_KEY, &ssl_sock_load_key_into_ckch },
956#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
957 [CERT_TYPE_OCSP] = { "ocsp", CERT_TYPE_OCSP, &ssl_sock_load_ocsp_response_from_file },
958#endif
959#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
960 [CERT_TYPE_SCTL] = { "sctl", CERT_TYPE_SCTL, &ssl_sock_load_sctl_from_file },
961#endif
962 [CERT_TYPE_ISSUER] = { "issuer", CERT_TYPE_ISSUER, &ssl_sock_load_issuer_file_into_ckch },
963 [CERT_TYPE_MAX] = { NULL, CERT_TYPE_MAX, NULL },
964};
965
966
967/* release function of the `show ssl cert' command */
968static void cli_release_show_cert(struct appctx *appctx)
969{
970 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
971}
972
973/* IO handler of "show ssl cert <filename>" */
974static int cli_io_handler_show_cert(struct appctx *appctx)
975{
976 struct buffer *trash = alloc_trash_chunk();
977 struct ebmb_node *node;
978 struct stream_interface *si = appctx->owner;
979 struct ckch_store *ckchs;
980
981 if (trash == NULL)
982 return 1;
983
984 if (!appctx->ctx.ssl.old_ckchs) {
985 if (ckchs_transaction.old_ckchs) {
986 ckchs = ckchs_transaction.old_ckchs;
987 chunk_appendf(trash, "# transaction\n");
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]988 chunk_appendf(trash, "*%s\n", ckchs->path);
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]989 }
990 }
991
992 if (!appctx->ctx.cli.p0) {
993 chunk_appendf(trash, "# filename\n");
994 node = ebmb_first(&ckchs_tree);
995 } else {
996 node = &((struct ckch_store *)appctx->ctx.cli.p0)->node;
997 }
998 while (node) {
999 ckchs = ebmb_entry(node, struct ckch_store, node);
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1000 chunk_appendf(trash, "%s\n", ckchs->path);
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1001
1002 node = ebmb_next(node);
1003 if (ci_putchk(si_ic(si), trash) == -1) {
1004 si_rx_room_blk(si);
1005 goto yield;
1006 }
1007 }
1008
1009 appctx->ctx.cli.p0 = NULL;
1010 free_trash_chunk(trash);
1011 return 1;
1012yield:
1013
1014 free_trash_chunk(trash);
1015 appctx->ctx.cli.p0 = ckchs;
1016 return 0; /* should come back */
1017}
1018
1019/*
1020 * Extract and format the DNS SAN extensions and copy result into a chuink
1021 * Return 0;
1022 */
1023#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
1024static int ssl_sock_get_san_oneline(X509 *cert, struct buffer *out)
1025{
1026 int i;
1027 char *str;
1028 STACK_OF(GENERAL_NAME) *names = NULL;
1029
1030 names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
1031 if (names) {
1032 for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
1033 GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i);
1034 if (i > 0)
1035 chunk_appendf(out, ", ");
1036 if (name->type == GEN_DNS) {
1037 if (ASN1_STRING_to_UTF8((unsigned char **)&str, name->d.dNSName) >= 0) {
1038 chunk_appendf(out, "DNS:%s", str);
1039 OPENSSL_free(str);
1040 }
1041 }
1042 }
1043 sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
1044 }
1045 return 0;
1046}
1047#endif
1048
1049
1050
1051
1052/* IO handler of the details "show ssl cert <filename>" */
1053static int cli_io_handler_show_cert_detail(struct appctx *appctx)
1054{
1055 struct stream_interface *si = appctx->owner;
1056 struct ckch_store *ckchs = appctx->ctx.cli.p0;
1057 struct buffer *out = alloc_trash_chunk();
1058 struct buffer *tmp = alloc_trash_chunk();
1059 X509_NAME *name = NULL;
1060 STACK_OF(X509) *chain;
1061 unsigned int len = 0;
1062 int write = -1;
1063 BIO *bio = NULL;
1064 int i;
1065
1066 if (!tmp || !out)
1067 goto end_no_putchk;
1068
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1069 chunk_appendf(out, "Filename: ");
1070 if (ckchs == ckchs_transaction.new_ckchs)
1071 chunk_appendf(out, "*");
1072 chunk_appendf(out, "%s\n", ckchs->path);
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1073
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1074 chunk_appendf(out, "Status: ");
1075 if (ckchs->ckch->cert == NULL)
1076 chunk_appendf(out, "Empty\n");
1077 else if (LIST_ISEMPTY(&ckchs->ckch_inst))
1078 chunk_appendf(out, "Unused\n");
1079 else
1080 chunk_appendf(out, "Used\n");
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1081
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1082 if (ckchs->ckch->cert == NULL)
1083 goto end;
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1084
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1085 chain = ckchs->ckch->chain;
1086 if (chain == NULL) {
1087 struct issuer_chain *issuer;
1088 issuer = ssl_get0_issuer_chain(ckchs->ckch->cert);
1089 if (issuer) {
1090 chain = issuer->chain;
1091 chunk_appendf(out, "Chain Filename: ");
1092 chunk_appendf(out, "%s\n", issuer->path);
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1093 }
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1094 }
1095 chunk_appendf(out, "Serial: ");
1096 if (ssl_sock_get_serial(ckchs->ckch->cert, tmp) == -1)
1097 goto end;
1098 dump_binary(out, tmp->area, tmp->data);
1099 chunk_appendf(out, "\n");
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1100
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1101 chunk_appendf(out, "notBefore: ");
1102 chunk_reset(tmp);
1103 if ((bio = BIO_new(BIO_s_mem())) == NULL)
1104 goto end;
1105 if (ASN1_TIME_print(bio, X509_getm_notBefore(ckchs->ckch->cert)) == 0)
1106 goto end;
1107 write = BIO_read(bio, tmp->area, tmp->size-1);
1108 tmp->area[write] = '\0';
1109 BIO_free(bio);
1110 bio = NULL;
1111 chunk_appendf(out, "%s\n", tmp->area);
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1112
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1113 chunk_appendf(out, "notAfter: ");
1114 chunk_reset(tmp);
1115 if ((bio = BIO_new(BIO_s_mem())) == NULL)
1116 goto end;
1117 if (ASN1_TIME_print(bio, X509_getm_notAfter(ckchs->ckch->cert)) == 0)
1118 goto end;
1119 if ((write = BIO_read(bio, tmp->area, tmp->size-1)) <= 0)
1120 goto end;
1121 tmp->area[write] = '\0';
1122 BIO_free(bio);
1123 bio = NULL;
1124 chunk_appendf(out, "%s\n", tmp->area);
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1125
1126#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1127 chunk_appendf(out, "Subject Alternative Name: ");
1128 if (ssl_sock_get_san_oneline(ckchs->ckch->cert, out) == -1)
1129 goto end;
1130 *(out->area + out->data) = '\0';
1131 chunk_appendf(out, "\n");
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1132#endif
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1133 chunk_reset(tmp);
1134 chunk_appendf(out, "Algorithm: ");
1135 if (cert_get_pkey_algo(ckchs->ckch->cert, tmp) == 0)
1136 goto end;
1137 chunk_appendf(out, "%s\n", tmp->area);
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1138
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1139 chunk_reset(tmp);
1140 chunk_appendf(out, "SHA1 FingerPrint: ");
1141 if (X509_digest(ckchs->ckch->cert, EVP_sha1(), (unsigned char *) tmp->area, &len) == 0)
1142 goto end;
1143 tmp->data = len;
1144 dump_binary(out, tmp->area, tmp->data);
1145 chunk_appendf(out, "\n");
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1146
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1147 chunk_appendf(out, "Subject: ");
1148 if ((name = X509_get_subject_name(ckchs->ckch->cert)) == NULL)
1149 goto end;
1150 if ((ssl_sock_get_dn_oneline(name, tmp)) == -1)
1151 goto end;
1152 *(tmp->area + tmp->data) = '\0';
1153 chunk_appendf(out, "%s\n", tmp->area);
1154
1155 chunk_appendf(out, "Issuer: ");
1156 if ((name = X509_get_issuer_name(ckchs->ckch->cert)) == NULL)
1157 goto end;
1158 if ((ssl_sock_get_dn_oneline(name, tmp)) == -1)
1159 goto end;
1160 *(tmp->area + tmp->data) = '\0';
1161 chunk_appendf(out, "%s\n", tmp->area);
1162
1163 /* Displays subject of each certificate in the chain */
1164 for (i = 0; i < sk_X509_num(chain); i++) {
1165 X509 *ca = sk_X509_value(chain, i);
1166
1167 chunk_appendf(out, "Chain Subject: ");
1168 if ((name = X509_get_subject_name(ca)) == NULL)
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1169 goto end;
1170 if ((ssl_sock_get_dn_oneline(name, tmp)) == -1)
1171 goto end;
1172 *(tmp->area + tmp->data) = '\0';
1173 chunk_appendf(out, "%s\n", tmp->area);
1174
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1175 chunk_appendf(out, "Chain Issuer: ");
1176 if ((name = X509_get_issuer_name(ca)) == NULL)
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1177 goto end;
1178 if ((ssl_sock_get_dn_oneline(name, tmp)) == -1)
1179 goto end;
1180 *(tmp->area + tmp->data) = '\0';
1181 chunk_appendf(out, "%s\n", tmp->area);
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1182 }
1183
1184end:
1185 if (ci_putchk(si_ic(si), out) == -1) {
1186 si_rx_room_blk(si);
1187 goto yield;
1188 }
1189
1190end_no_putchk:
1191 if (bio)
1192 BIO_free(bio);
1193 free_trash_chunk(tmp);
1194 free_trash_chunk(out);
1195 return 1;
1196yield:
1197 free_trash_chunk(tmp);
1198 free_trash_chunk(out);
1199 return 0; /* should come back */
1200}
1201
1202/* parsing function for 'show ssl cert [certfile]' */
1203static int cli_parse_show_cert(char **args, char *payload, struct appctx *appctx, void *private)
1204{
1205 struct ckch_store *ckchs;
1206
1207 if (!cli_has_level(appctx, ACCESS_LVL_OPER))
1208 return cli_err(appctx, "Can't allocate memory!\n");
1209
1210 /* The operations on the CKCH architecture are locked so we can
1211 * manipulate ckch_store and ckch_inst */
1212 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
1213 return cli_err(appctx, "Can't show!\nOperations on certificates are currently locked!\n");
1214
1215 /* check if there is a certificate to lookup */
1216 if (*args[3]) {
1217 if (*args[3] == '*') {
1218 if (!ckchs_transaction.new_ckchs)
1219 goto error;
1220
1221 ckchs = ckchs_transaction.new_ckchs;
1222
Tim Duesterhuse5ff1412021-01-02 22:31:53 +0100[diff] [blame]1223 if (strcmp(args[3] + 1, ckchs->path) != 0)
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1224 goto error;
1225
1226 } else {
1227 if ((ckchs = ckchs_lookup(args[3])) == NULL)
1228 goto error;
1229
1230 }
1231
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1232 appctx->ctx.cli.p0 = ckchs;
1233 /* use the IO handler that shows details */
1234 appctx->io_handler = cli_io_handler_show_cert_detail;
1235 }
1236
1237 return 0;
1238
1239error:
1240 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
1241 return cli_err(appctx, "Can't display the certificate: Not found or the certificate is a bundle!\n");
1242}
1243
1244/* release function of the `set ssl cert' command, free things and unlock the spinlock */
1245static void cli_release_commit_cert(struct appctx *appctx)
1246{
1247 struct ckch_store *new_ckchs;
1248
1249 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
1250
1251 if (appctx->st2 != SETCERT_ST_FIN) {
1252 /* free every new sni_ctx and the new store, which are not in the trees so no spinlock there */
1253 new_ckchs = appctx->ctx.ssl.new_ckchs;
1254
1255 /* if the allocation failed, we need to free everything from the temporary list */
1256 ckch_store_free(new_ckchs);
1257 }
1258}
1259
1260/*
1261 * This function tries to create the new ckch_inst and their SNIs
1262 */
1263static int cli_io_handler_commit_cert(struct appctx *appctx)
1264{
1265 struct stream_interface *si = appctx->owner;
1266 int y = 0;
1267 char *err = NULL;
1268 int errcode = 0;
1269 struct ckch_store *old_ckchs, *new_ckchs = NULL;
1270 struct ckch_inst *ckchi, *ckchis;
1271 struct buffer *trash = alloc_trash_chunk();
1272 struct sni_ctx *sc0, *sc0s;
1273 struct crtlist_entry *entry;
1274
1275 if (trash == NULL)
1276 goto error;
1277
1278 if (unlikely(si_ic(si)->flags & (CF_WRITE_ERROR|CF_SHUTW)))
1279 goto error;
1280
1281 while (1) {
1282 switch (appctx->st2) {
1283 case SETCERT_ST_INIT:
1284 /* This state just print the update message */
1285 chunk_printf(trash, "Committing %s", ckchs_transaction.path);
1286 if (ci_putchk(si_ic(si), trash) == -1) {
1287 si_rx_room_blk(si);
1288 goto yield;
1289 }
1290 appctx->st2 = SETCERT_ST_GEN;
1291 /* fallthrough */
1292 case SETCERT_ST_GEN:
1293 /*
1294 * This state generates the ckch instances with their
1295 * sni_ctxs and SSL_CTX.
1296 *
1297 * Since the SSL_CTX generation can be CPU consumer, we
1298 * yield every 10 instances.
1299 */
1300
1301 old_ckchs = appctx->ctx.ssl.old_ckchs;
1302 new_ckchs = appctx->ctx.ssl.new_ckchs;
1303
1304 if (!new_ckchs)
1305 continue;
1306
1307 /* get the next ckchi to regenerate */
1308 ckchi = appctx->ctx.ssl.next_ckchi;
1309 /* we didn't start yet, set it to the first elem */
1310 if (ckchi == NULL)
1311 ckchi = LIST_ELEM(old_ckchs->ckch_inst.n, typeof(ckchi), by_ckchs);
1312
1313 /* walk through the old ckch_inst and creates new ckch_inst using the updated ckchs */
1314 list_for_each_entry_from(ckchi, &old_ckchs->ckch_inst, by_ckchs) {
1315 struct ckch_inst *new_inst;
1316 char **sni_filter = NULL;
1317 int fcount = 0;
1318
1319 /* it takes a lot of CPU to creates SSL_CTXs, so we yield every 10 CKCH instances */
1320 if (y >= 10) {
1321 /* save the next ckchi to compute */
1322 appctx->ctx.ssl.next_ckchi = ckchi;
1323 goto yield;
1324 }
1325
1326 if (ckchi->crtlist_entry) {
1327 sni_filter = ckchi->crtlist_entry->filters;
1328 fcount = ckchi->crtlist_entry->fcount;
1329 }
1330
Remi Tricot-Le Bretond817dc72021-01-25 17:19:43 +0100[diff] [blame^]1331 if (ckchi->is_server_instance)
1332 goto error; /* Not managed yet */
1333
William Lallemand95fefa12020-09-09 12:01:33 +0200[diff] [blame]1334 errcode |= ckch_inst_new_load_store(new_ckchs->path, new_ckchs, ckchi->bind_conf, ckchi->ssl_conf, sni_filter, fcount, &new_inst, &err);
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1335
1336 if (errcode & ERR_CODE)
1337 goto error;
1338
1339 /* if the previous ckchi was used as the default */
1340 if (ckchi->is_default)
1341 new_inst->is_default = 1;
1342
William Lallemanda55685b2020-12-15 14:57:46 +0100[diff] [blame]1343 /* create the link to the crtlist_entry */
1344 new_inst->crtlist_entry = ckchi->crtlist_entry;
1345
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1346 /* we need to initialize the SSL_CTX generated */
1347 /* this iterate on the newly generated SNIs in the new instance to prepare their SSL_CTX */
1348 list_for_each_entry_safe(sc0, sc0s, &new_inst->sni_ctx, by_ckch_inst) {
1349 if (!sc0->order) { /* we initialized only the first SSL_CTX because it's the same in the other sni_ctx's */
1350 errcode |= ssl_sock_prepare_ctx(ckchi->bind_conf, ckchi->ssl_conf, sc0->ctx, &err);
1351 if (errcode & ERR_CODE)
1352 goto error;
1353 }
1354 }
1355
1356
1357 /* display one dot per new instance */
1358 chunk_appendf(trash, ".");
1359 /* link the new ckch_inst to the duplicate */
1360 LIST_ADDQ(&new_ckchs->ckch_inst, &new_inst->by_ckchs);
1361 y++;
1362 }
1363 appctx->st2 = SETCERT_ST_INSERT;
1364 /* fallthrough */
1365 case SETCERT_ST_INSERT:
1366 /* The generation is finished, we can insert everything */
1367
1368 old_ckchs = appctx->ctx.ssl.old_ckchs;
1369 new_ckchs = appctx->ctx.ssl.new_ckchs;
1370
1371 if (!new_ckchs)
1372 continue;
1373
1374 /* get the list of crtlist_entry in the old store, and update the pointers to the store */
1375 LIST_SPLICE(&new_ckchs->crtlist_entry, &old_ckchs->crtlist_entry);
1376 list_for_each_entry(entry, &new_ckchs->crtlist_entry, by_ckch_store) {
1377 ebpt_delete(&entry->node);
1378 /* change the ptr and reinsert the node */
1379 entry->node.key = new_ckchs;
1380 ebpt_insert(&entry->crtlist->entries, &entry->node);
1381 }
1382
William Lallemanda55685b2020-12-15 14:57:46 +0100[diff] [blame]1383 /* insert the new ckch_insts in the crtlist_entry */
1384 list_for_each_entry(ckchi, &new_ckchs->ckch_inst, by_ckchs) {
1385 if (ckchi->crtlist_entry)
1386 LIST_ADD(&ckchi->crtlist_entry->ckch_inst, &ckchi->by_crtlist_entry);
1387 }
1388
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1389 /* First, we insert every new SNIs in the trees, also replace the default_ctx */
1390 list_for_each_entry_safe(ckchi, ckchis, &new_ckchs->ckch_inst, by_ckchs) {
1391 HA_RWLOCK_WRLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock);
1392 ssl_sock_load_cert_sni(ckchi, ckchi->bind_conf);
1393 HA_RWLOCK_WRUNLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock);
1394 }
1395
1396 /* delete the old sni_ctx, the old ckch_insts and the ckch_store */
1397 list_for_each_entry_safe(ckchi, ckchis, &old_ckchs->ckch_inst, by_ckchs) {
1398 struct bind_conf __maybe_unused *bind_conf = ckchi->bind_conf;
1399
1400 HA_RWLOCK_WRLOCK(SNI_LOCK, &bind_conf->sni_lock);
1401 ckch_inst_free(ckchi);
1402 HA_RWLOCK_WRUNLOCK(SNI_LOCK, &bind_conf->sni_lock);
1403 }
1404
1405 /* Replace the old ckchs by the new one */
1406 ckch_store_free(old_ckchs);
1407 ebst_insert(&ckchs_tree, &new_ckchs->node);
1408 appctx->st2 = SETCERT_ST_FIN;
1409 /* fallthrough */
1410 case SETCERT_ST_FIN:
1411 /* we achieved the transaction, we can set everything to NULL */
1412 free(ckchs_transaction.path);
1413 ckchs_transaction.path = NULL;
1414 ckchs_transaction.new_ckchs = NULL;
1415 ckchs_transaction.old_ckchs = NULL;
1416 goto end;
1417 }
1418 }
1419end:
1420
1421 chunk_appendf(trash, "\n");
1422 if (errcode & ERR_WARN)
1423 chunk_appendf(trash, "%s", err);
1424 chunk_appendf(trash, "Success!\n");
1425 if (ci_putchk(si_ic(si), trash) == -1)
1426 si_rx_room_blk(si);
1427 free_trash_chunk(trash);
1428 /* success: call the release function and don't come back */
1429 return 1;
1430yield:
1431 /* store the state */
1432 if (ci_putchk(si_ic(si), trash) == -1)
1433 si_rx_room_blk(si);
1434 free_trash_chunk(trash);
1435 si_rx_endp_more(si); /* let's come back later */
1436 return 0; /* should come back */
1437
1438error:
1439 /* spin unlock and free are done in the release function */
1440 if (trash) {
1441 chunk_appendf(trash, "\n%sFailed!\n", err);
1442 if (ci_putchk(si_ic(si), trash) == -1)
1443 si_rx_room_blk(si);
1444 free_trash_chunk(trash);
1445 }
1446 /* error: call the release function and don't come back */
1447 return 1;
1448}
1449
1450/*
1451 * Parsing function of 'commit ssl cert'
1452 */
1453static int cli_parse_commit_cert(char **args, char *payload, struct appctx *appctx, void *private)
1454{
1455 char *err = NULL;
1456
1457 if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
1458 return 1;
1459
1460 if (!*args[3])
1461 return cli_err(appctx, "'commit ssl cert expects a filename\n");
1462
1463 /* The operations on the CKCH architecture are locked so we can
1464 * manipulate ckch_store and ckch_inst */
1465 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
1466 return cli_err(appctx, "Can't commit the certificate!\nOperations on certificates are currently locked!\n");
1467
1468 if (!ckchs_transaction.path) {
1469 memprintf(&err, "No ongoing transaction! !\n");
1470 goto error;
1471 }
1472
1473 if (strcmp(ckchs_transaction.path, args[3]) != 0) {
1474 memprintf(&err, "The ongoing transaction is about '%s' but you are trying to set '%s'\n", ckchs_transaction.path, args[3]);
1475 goto error;
1476 }
1477
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1478 /* if a certificate is here, a private key must be here too */
1479 if (ckchs_transaction.new_ckchs->ckch->cert && !ckchs_transaction.new_ckchs->ckch->key) {
1480 memprintf(&err, "The transaction must contain at least a certificate and a private key!\n");
1481 goto error;
1482 }
William Lallemanda9419522020-06-24 16:26:41 +0200[diff] [blame]1483
William Lallemand5685ccf2020-09-16 16:12:25 +0200[diff] [blame]1484 if (!X509_check_private_key(ckchs_transaction.new_ckchs->ckch->cert, ckchs_transaction.new_ckchs->ckch->key)) {
1485 memprintf(&err, "inconsistencies between private key and certificate loaded '%s'.\n", ckchs_transaction.path);
1486 goto error;
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1487 }
1488
1489 /* init the appctx structure */
1490 appctx->st2 = SETCERT_ST_INIT;
1491 appctx->ctx.ssl.next_ckchi = NULL;
1492 appctx->ctx.ssl.new_ckchs = ckchs_transaction.new_ckchs;
1493 appctx->ctx.ssl.old_ckchs = ckchs_transaction.old_ckchs;
1494
1495 /* we don't unlock there, it will be unlock after the IO handler, in the release handler */
1496 return 0;
1497
1498error:
1499
1500 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
1501 err = memprintf(&err, "%sCan't commit %s!\n", err ? err : "", args[3]);
1502
1503 return cli_dynerr(appctx, err);
1504}
1505
1506
1507
1508
1509/*
1510 * Parsing function of `set ssl cert`, it updates or creates a temporary ckch.
1511 */
1512static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx, void *private)
1513{
1514 struct ckch_store *new_ckchs = NULL;
1515 struct ckch_store *old_ckchs = NULL;
1516 char *err = NULL;
1517 int i;
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1518 int errcode = 0;
1519 char *end;
1520 int type = CERT_TYPE_PEM;
1521 struct cert_key_and_chain *ckch;
1522 struct buffer *buf;
1523
1524 if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
1525 return 1;
1526
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1527 if (!*args[3] || !payload)
1528 return cli_err(appctx, "'set ssl cert expects a filename and a certificate as a payload\n");
1529
1530 /* The operations on the CKCH architecture are locked so we can
1531 * manipulate ckch_store and ckch_inst */
1532 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
1533 return cli_err(appctx, "Can't update the certificate!\nOperations on certificates are currently locked!\n");
1534
William Lallemande5ff4ad2020-06-08 09:40:37 +0200[diff] [blame]1535 if ((buf = alloc_trash_chunk()) == NULL)
1536 return cli_err(appctx, "Can't allocate memory\n");
1537
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1538 if (!chunk_strcpy(buf, args[3])) {
1539 memprintf(&err, "%sCan't allocate memory\n", err ? err : "");
1540 errcode |= ERR_ALERT | ERR_FATAL;
1541 goto end;
1542 }
1543
1544 /* check which type of file we want to update */
1545 for (i = 0; cert_exts[i].type < CERT_TYPE_MAX; i++) {
1546 end = strrchr(buf->area, '.');
Tim Duesterhuse5ff1412021-01-02 22:31:53 +0100[diff] [blame]1547 if (end && *cert_exts[i].ext && (strcmp(end + 1, cert_exts[i].ext) == 0)) {
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1548 *end = '\0';
William Lallemand089c1382020-10-23 17:35:12 +0200[diff] [blame]1549 buf->data = strlen(buf->area);
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1550 type = cert_exts[i].type;
1551 break;
1552 }
1553 }
1554
1555 appctx->ctx.ssl.old_ckchs = NULL;
1556 appctx->ctx.ssl.new_ckchs = NULL;
1557
1558 /* if there is an ongoing transaction */
1559 if (ckchs_transaction.path) {
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1560 /* if there is an ongoing transaction, check if this is the same file */
1561 if (strcmp(ckchs_transaction.path, buf->area) != 0) {
William Lallemand089c1382020-10-23 17:35:12 +0200[diff] [blame]1562 /* we didn't find the transaction, must try more cases below */
1563
1564 /* if the del-ext option is activated we should try to take a look at a ".crt" too. */
1565 if (type != CERT_TYPE_PEM && global_ssl.extra_files_noext) {
1566 if (!chunk_strcat(buf, ".crt")) {
1567 memprintf(&err, "%sCan't allocate memory\n", err ? err : "");
1568 errcode |= ERR_ALERT | ERR_FATAL;
1569 goto end;
1570 }
1571
1572 if (strcmp(ckchs_transaction.path, buf->area) != 0) {
1573 /* remove .crt of the error message */
1574 *(b_orig(buf) + b_data(buf) + strlen(".crt")) = '\0';
1575 b_sub(buf, strlen(".crt"));
1576
1577 memprintf(&err, "The ongoing transaction is about '%s' but you are trying to set '%s'\n", ckchs_transaction.path, buf->area);
1578 errcode |= ERR_ALERT | ERR_FATAL;
1579 goto end;
1580 }
1581 }
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1582 }
1583
1584 appctx->ctx.ssl.old_ckchs = ckchs_transaction.new_ckchs;
1585
1586 } else {
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1587
William Lallemand95fefa12020-09-09 12:01:33 +0200[diff] [blame]1588 /* lookup for the certificate in the tree */
1589 appctx->ctx.ssl.old_ckchs = ckchs_lookup(buf->area);
William Lallemand089c1382020-10-23 17:35:12 +0200[diff] [blame]1590
1591 if (!appctx->ctx.ssl.old_ckchs) {
1592 /* if the del-ext option is activated we should try to take a look at a ".crt" too. */
1593 if (type != CERT_TYPE_PEM && global_ssl.extra_files_noext) {
1594 if (!chunk_strcat(buf, ".crt")) {
1595 memprintf(&err, "%sCan't allocate memory\n", err ? err : "");
1596 errcode |= ERR_ALERT | ERR_FATAL;
1597 goto end;
1598 }
1599 appctx->ctx.ssl.old_ckchs = ckchs_lookup(buf->area);
1600 }
1601 }
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1602 }
1603
1604 if (!appctx->ctx.ssl.old_ckchs) {
1605 memprintf(&err, "%sCan't replace a certificate which is not referenced by the configuration!\n",
1606 err ? err : "");
1607 errcode |= ERR_ALERT | ERR_FATAL;
1608 goto end;
1609 }
1610
1611 if (!appctx->ctx.ssl.path) {
1612 /* this is a new transaction, set the path of the transaction */
1613 appctx->ctx.ssl.path = strdup(appctx->ctx.ssl.old_ckchs->path);
1614 if (!appctx->ctx.ssl.path) {
1615 memprintf(&err, "%sCan't allocate memory\n", err ? err : "");
1616 errcode |= ERR_ALERT | ERR_FATAL;
1617 goto end;
1618 }
1619 }
1620
1621 old_ckchs = appctx->ctx.ssl.old_ckchs;
1622
1623 /* duplicate the ckch store */
1624 new_ckchs = ckchs_dup(old_ckchs);
1625 if (!new_ckchs) {
1626 memprintf(&err, "%sCannot allocate memory!\n",
1627 err ? err : "");
1628 errcode |= ERR_ALERT | ERR_FATAL;
1629 goto end;
1630 }
1631
William Lallemand95fefa12020-09-09 12:01:33 +0200[diff] [blame]1632 ckch = new_ckchs->ckch;
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1633
1634 /* appply the change on the duplicate */
1635 if (cert_exts[type].load(buf->area, payload, ckch, &err) != 0) {
1636 memprintf(&err, "%sCan't load the payload\n", err ? err : "");
1637 errcode |= ERR_ALERT | ERR_FATAL;
1638 goto end;
1639 }
1640
1641 appctx->ctx.ssl.new_ckchs = new_ckchs;
1642
1643 /* we succeed, we can save the ckchs in the transaction */
1644
1645 /* if there wasn't a transaction, update the old ckchs */
1646 if (!ckchs_transaction.old_ckchs) {
1647 ckchs_transaction.old_ckchs = appctx->ctx.ssl.old_ckchs;
1648 ckchs_transaction.path = appctx->ctx.ssl.path;
1649 err = memprintf(&err, "Transaction created for certificate %s!\n", ckchs_transaction.path);
1650 } else {
1651 err = memprintf(&err, "Transaction updated for certificate %s!\n", ckchs_transaction.path);
1652
1653 }
1654
1655 /* free the previous ckchs if there was a transaction */
1656 ckch_store_free(ckchs_transaction.new_ckchs);
1657
1658 ckchs_transaction.new_ckchs = appctx->ctx.ssl.new_ckchs;
1659
1660
1661 /* creates the SNI ctxs later in the IO handler */
1662
1663end:
1664 free_trash_chunk(buf);
1665
1666 if (errcode & ERR_CODE) {
1667
1668 ckch_store_free(appctx->ctx.ssl.new_ckchs);
1669 appctx->ctx.ssl.new_ckchs = NULL;
1670
1671 appctx->ctx.ssl.old_ckchs = NULL;
1672
1673 free(appctx->ctx.ssl.path);
1674 appctx->ctx.ssl.path = NULL;
1675
1676 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
1677 return cli_dynerr(appctx, memprintf(&err, "%sCan't update %s!\n", err ? err : "", args[3]));
1678 } else {
1679
1680 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
1681 return cli_dynmsg(appctx, LOG_NOTICE, err);
1682 }
1683 /* TODO: handle the ERR_WARN which are not handled because of the io_handler */
1684}
1685
1686/* parsing function of 'abort ssl cert' */
1687static int cli_parse_abort_cert(char **args, char *payload, struct appctx *appctx, void *private)
1688{
1689 char *err = NULL;
1690
1691 if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
1692 return 1;
1693
1694 if (!*args[3])
1695 return cli_err(appctx, "'abort ssl cert' expects a filename\n");
1696
1697 /* The operations on the CKCH architecture are locked so we can
1698 * manipulate ckch_store and ckch_inst */
1699 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
1700 return cli_err(appctx, "Can't abort!\nOperations on certificates are currently locked!\n");
1701
1702 if (!ckchs_transaction.path) {
1703 memprintf(&err, "No ongoing transaction!\n");
1704 goto error;
1705 }
1706
1707 if (strcmp(ckchs_transaction.path, args[3]) != 0) {
1708 memprintf(&err, "The ongoing transaction is about '%s' but you are trying to abort a transaction for '%s'\n", ckchs_transaction.path, args[3]);
1709 goto error;
1710 }
1711
1712 /* Only free the ckchs there, because the SNI and instances were not generated yet */
1713 ckch_store_free(ckchs_transaction.new_ckchs);
1714 ckchs_transaction.new_ckchs = NULL;
1715 ckch_store_free(ckchs_transaction.old_ckchs);
1716 ckchs_transaction.old_ckchs = NULL;
1717 free(ckchs_transaction.path);
1718 ckchs_transaction.path = NULL;
1719
1720 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
1721
1722 err = memprintf(&err, "Transaction aborted for certificate '%s'!\n", args[3]);
1723 return cli_dynmsg(appctx, LOG_NOTICE, err);
1724
1725error:
1726 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
1727
1728 return cli_dynerr(appctx, err);
1729}
1730
1731/* parsing function of 'new ssl cert' */
1732static int cli_parse_new_cert(char **args, char *payload, struct appctx *appctx, void *private)
1733{
1734 struct ckch_store *store;
1735 char *err = NULL;
1736 char *path;
1737
1738 if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
1739 return 1;
1740
1741 if (!*args[3])
1742 return cli_err(appctx, "'new ssl cert' expects a filename\n");
1743
1744 path = args[3];
1745
1746 /* The operations on the CKCH architecture are locked so we can
1747 * manipulate ckch_store and ckch_inst */
1748 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
1749 return cli_err(appctx, "Can't create a certificate!\nOperations on certificates are currently locked!\n");
1750
1751 store = ckchs_lookup(path);
1752 if (store != NULL) {
1753 memprintf(&err, "Certificate '%s' already exists!\n", path);
1754 store = NULL; /* we don't want to free it */
1755 goto error;
1756 }
1757 /* we won't support multi-certificate bundle here */
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200[diff] [blame]1758 store = ckch_store_new(path);
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1759 if (!store) {
1760 memprintf(&err, "unable to allocate memory.\n");
1761 goto error;
1762 }
1763
1764 /* insert into the ckchs tree */
1765 ebst_insert(&ckchs_tree, &store->node);
1766 memprintf(&err, "New empty certificate store '%s'!\n", args[3]);
1767
1768 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
1769 return cli_dynmsg(appctx, LOG_NOTICE, err);
1770error:
1771 free(store);
1772 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
1773 return cli_dynerr(appctx, err);
1774}
1775
1776/* parsing function of 'del ssl cert' */
1777static int cli_parse_del_cert(char **args, char *payload, struct appctx *appctx, void *private)
1778{
1779 struct ckch_store *store;
1780 char *err = NULL;
1781 char *filename;
1782
1783 if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
1784 return 1;
1785
1786 if (!*args[3])
1787 return cli_err(appctx, "'del ssl cert' expects a certificate name\n");
1788
1789 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
1790 return cli_err(appctx, "Can't delete the certificate!\nOperations on certificates are currently locked!\n");
1791
1792 filename = args[3];
1793
1794 store = ckchs_lookup(filename);
1795 if (store == NULL) {
1796 memprintf(&err, "certificate '%s' doesn't exist!\n", filename);
1797 goto error;
1798 }
1799 if (!LIST_ISEMPTY(&store->ckch_inst)) {
1800 memprintf(&err, "certificate '%s' in use, can't be deleted!\n", filename);
1801 goto error;
1802 }
1803
1804 ebmb_delete(&store->node);
1805 ckch_store_free(store);
1806
1807 memprintf(&err, "Certificate '%s' deleted!\n", filename);
1808
1809 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
1810 return cli_dynmsg(appctx, LOG_NOTICE, err);
1811
1812error:
1813 memprintf(&err, "Can't remove the certificate: %s\n", err ? err : "");
1814 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
1815 return cli_dynerr(appctx, err);
1816}
1817
William Lallemandee8530c2020-06-23 18:19:42 +0200[diff] [blame]1818void ckch_deinit()
1819{
1820 struct eb_node *node, *next;
1821 struct ckch_store *store;
1822
1823 node = eb_first(&ckchs_tree);
1824 while (node) {
1825 next = eb_next(node);
1826 store = ebmb_entry(node, struct ckch_store, node);
1827 ckch_store_free(store);
1828 node = next;
1829 }
1830}
William Lallemandda8584c2020-05-14 10:14:37 +0200[diff] [blame]1831
1832/* register cli keywords */
1833static struct cli_kw_list cli_kws = {{ },{
1834 { { "new", "ssl", "cert", NULL }, "new ssl cert <certfile> : create a new certificate file to be used in a crt-list or a directory", cli_parse_new_cert, NULL, NULL },
1835 { { "set", "ssl", "cert", NULL }, "set ssl cert <certfile> <payload> : replace a certificate file", cli_parse_set_cert, NULL, NULL },
1836 { { "commit", "ssl", "cert", NULL }, "commit ssl cert <certfile> : commit a certificate file", cli_parse_commit_cert, cli_io_handler_commit_cert, cli_release_commit_cert },
1837 { { "abort", "ssl", "cert", NULL }, "abort ssl cert <certfile> : abort a transaction for a certificate file", cli_parse_abort_cert, NULL, NULL },
1838 { { "del", "ssl", "cert", NULL }, "del ssl cert <certfile> : delete an unused certificate file", cli_parse_del_cert, NULL, NULL },
1839 { { "show", "ssl", "cert", NULL }, "show ssl cert [<certfile>] : display the SSL certificates used in memory, or the details of a <certfile>", cli_parse_show_cert, cli_io_handler_show_cert, cli_release_show_cert },
1840 { { NULL }, NULL, NULL, NULL }
1841}};
1842
1843INITCALL1(STG_REGISTER, cli_register_kw, &cli_kws);
1844