blob: 192ad6c666ff1981da90872130e49ee244f85b80 [file] [log] [blame]
William Lallemand03c331c2020-05-13 10:10:01 +02001/*
2 *
3 * Copyright (C) 2020 HAProxy Technologies, William Lallemand <wlallemand@haproxy.com>
4 *
5 * This program is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU General Public License
7 * as published by the Free Software Foundation; either version
8 * 2 of the License, or (at your option) any later version.
9 *
10 */
11
12#define _GNU_SOURCE
13#include <ctype.h>
14#include <errno.h>
15#include <fcntl.h>
16#include <stdio.h>
17#include <stdlib.h>
18#include <string.h>
Willy Tarreauaeed4a82020-06-04 22:01:04 +020019#include <syslog.h>
William Lallemand03c331c2020-05-13 10:10:01 +020020#include <unistd.h>
21
22#include <sys/stat.h>
23#include <sys/types.h>
24
Willy Tarreau74f24562021-10-06 17:54:12 +020025#include <import/ebpttree.h>
Willy Tarreaub2551052020-06-09 09:07:15 +020026#include <import/ebsttree.h>
27
Willy Tarreau8d366972020-05-27 16:10:29 +020028#include <haproxy/base64.h>
Willy Tarreauf1d32c42020-06-04 21:07:02 +020029#include <haproxy/channel.h>
Willy Tarreau83487a82020-06-04 20:19:54 +020030#include <haproxy/cli.h>
Willy Tarreau8d366972020-05-27 16:10:29 +020031#include <haproxy/errors.h>
Willy Tarreau47d7f902020-06-04 14:25:47 +020032#include <haproxy/ssl_ckch.h>
Willy Tarreau209108d2020-06-04 20:30:20 +020033#include <haproxy/ssl_sock.h>
Willy Tarreaub2bd8652020-06-04 14:21:22 +020034#include <haproxy/ssl_utils.h>
Willy Tarreau5e539c92020-06-04 20:45:39 +020035#include <haproxy/stream_interface.h>
Willy Tarreau48fbcae2020-06-03 18:09:46 +020036#include <haproxy/tools.h>
William Lallemand03c331c2020-05-13 10:10:01 +020037
William Lallemandda8584c2020-05-14 10:14:37 +020038/* Uncommitted CKCH transaction */
39
40static struct {
41 struct ckch_store *new_ckchs;
42 struct ckch_store *old_ckchs;
43 char *path;
44} ckchs_transaction;
45
Remi Tricot-Le Bretona32a68b2021-02-24 17:35:43 +010046/* Uncommitted CA file transaction */
47
48static struct {
49 struct cafile_entry *old_cafile_entry;
50 struct cafile_entry *new_cafile_entry;
51 char *path;
52} cafile_transaction;
William Lallemandda8584c2020-05-14 10:14:37 +020053
Remi Tricot-Le Bretona51b3392021-04-20 17:38:14 +020054/* Uncommitted CRL file transaction */
55
56static struct {
57 struct cafile_entry *old_crlfile_entry;
58 struct cafile_entry *new_crlfile_entry;
59 char *path;
60} crlfile_transaction;
61
William Lallemand03c331c2020-05-13 10:10:01 +020062
Remi Tricot-Le Bretona32a68b2021-02-24 17:35:43 +010063
William Lallemand03c331c2020-05-13 10:10:01 +020064/******************** cert_key_and_chain functions *************************
65 * These are the functions that fills a cert_key_and_chain structure. For the
66 * functions filling a SSL_CTX from a cert_key_and_chain, see ssl_sock.c
67 */
68
69/*
70 * Try to parse Signed Certificate Timestamp List structure. This function
71 * makes only basic test if the data seems like SCTL. No signature validation
72 * is performed.
73 */
74static int ssl_sock_parse_sctl(struct buffer *sctl)
75{
76 int ret = 1;
77 int len, pos, sct_len;
78 unsigned char *data;
79
80 if (sctl->data < 2)
81 goto out;
82
83 data = (unsigned char *) sctl->area;
84 len = (data[0] << 8) | data[1];
85
86 if (len + 2 != sctl->data)
87 goto out;
88
89 data = data + 2;
90 pos = 0;
91 while (pos < len) {
92 if (len - pos < 2)
93 goto out;
94
95 sct_len = (data[pos] << 8) | data[pos + 1];
96 if (pos + sct_len + 2 > len)
97 goto out;
98
99 pos += sct_len + 2;
100 }
101
102 ret = 0;
103
104out:
105 return ret;
106}
107
108/* Try to load a sctl from a buffer <buf> if not NULL, or read the file <sctl_path>
109 * It fills the ckch->sctl buffer
110 * return 0 on success or != 0 on failure */
111int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct cert_key_and_chain *ckch, char **err)
112{
113 int fd = -1;
114 int r = 0;
115 int ret = 1;
116 struct buffer tmp;
117 struct buffer *src;
118 struct buffer *sctl;
119
120 if (buf) {
William Lallemand8d673942021-01-27 14:58:51 +0100121 chunk_initstr(&tmp, buf);
William Lallemand03c331c2020-05-13 10:10:01 +0200122 src = &tmp;
123 } else {
124 fd = open(sctl_path, O_RDONLY);
125 if (fd == -1)
126 goto end;
127
128 trash.data = 0;
129 while (trash.data < trash.size) {
130 r = read(fd, trash.area + trash.data, trash.size - trash.data);
131 if (r < 0) {
132 if (errno == EINTR)
133 continue;
134 goto end;
135 }
136 else if (r == 0) {
137 break;
138 }
139 trash.data += r;
140 }
141 src = &trash;
142 }
143
144 ret = ssl_sock_parse_sctl(src);
145 if (ret)
146 goto end;
147
148 sctl = calloc(1, sizeof(*sctl));
149 if (!chunk_dup(sctl, src)) {
Willy Tarreau61cfdf42021-02-20 10:46:51 +0100150 ha_free(&sctl);
William Lallemand03c331c2020-05-13 10:10:01 +0200151 goto end;
152 }
153 /* no error, fill ckch with new context, old context must be free */
154 if (ckch->sctl) {
Willy Tarreau61cfdf42021-02-20 10:46:51 +0100155 ha_free(&ckch->sctl->area);
William Lallemand03c331c2020-05-13 10:10:01 +0200156 free(ckch->sctl);
157 }
158 ckch->sctl = sctl;
159 ret = 0;
160end:
161 if (fd != -1)
162 close(fd);
163
164 return ret;
165}
166
167#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
168/*
Ilya Shipitsin46a030c2020-07-05 16:36:08 +0500169 * This function load the OCSP Response in DER format contained in file at
William Lallemand03c331c2020-05-13 10:10:01 +0200170 * path 'ocsp_path' or base64 in a buffer <buf>
171 *
172 * Returns 0 on success, 1 in error case.
173 */
174int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *buf, struct cert_key_and_chain *ckch, char **err)
175{
176 int fd = -1;
177 int r = 0;
178 int ret = 1;
179 struct buffer *ocsp_response;
180 struct buffer *src = NULL;
181
182 if (buf) {
183 int i, j;
184 /* if it's from a buffer it will be base64 */
185
186 /* remove \r and \n from the payload */
187 for (i = 0, j = 0; buf[i]; i++) {
188 if (buf[i] == '\r' || buf[i] == '\n')
189 continue;
190 buf[j++] = buf[i];
191 }
192 buf[j] = 0;
193
194 ret = base64dec(buf, j, trash.area, trash.size);
195 if (ret < 0) {
196 memprintf(err, "Error reading OCSP response in base64 format");
197 goto end;
198 }
199 trash.data = ret;
200 src = &trash;
201 } else {
202 fd = open(ocsp_path, O_RDONLY);
203 if (fd == -1) {
204 memprintf(err, "Error opening OCSP response file");
205 goto end;
206 }
207
208 trash.data = 0;
209 while (trash.data < trash.size) {
210 r = read(fd, trash.area + trash.data, trash.size - trash.data);
211 if (r < 0) {
212 if (errno == EINTR)
213 continue;
214
215 memprintf(err, "Error reading OCSP response from file");
216 goto end;
217 }
218 else if (r == 0) {
219 break;
220 }
221 trash.data += r;
222 }
223 close(fd);
224 fd = -1;
225 src = &trash;
226 }
227
228 ocsp_response = calloc(1, sizeof(*ocsp_response));
229 if (!chunk_dup(ocsp_response, src)) {
Willy Tarreau61cfdf42021-02-20 10:46:51 +0100230 ha_free(&ocsp_response);
William Lallemand03c331c2020-05-13 10:10:01 +0200231 goto end;
232 }
233 /* no error, fill ckch with new context, old context must be free */
234 if (ckch->ocsp_response) {
Willy Tarreau61cfdf42021-02-20 10:46:51 +0100235 ha_free(&ckch->ocsp_response->area);
William Lallemand03c331c2020-05-13 10:10:01 +0200236 free(ckch->ocsp_response);
237 }
238 ckch->ocsp_response = ocsp_response;
239 ret = 0;
240end:
241 if (fd != -1)
242 close(fd);
243
244 return ret;
245}
246#endif
247
248/*
249 * Try to load in a ckch every files related to a ckch.
250 * (PEM, sctl, ocsp, issuer etc.)
251 *
252 * This function is only used to load files during the configuration parsing,
253 * it is not used with the CLI.
254 *
255 * This allows us to carry the contents of the file without having to read the
256 * file multiple times. The caller must call
257 * ssl_sock_free_cert_key_and_chain_contents.
258 *
259 * returns:
260 * 0 on Success
261 * 1 on SSL Failure
262 */
263int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *ckch, char **err)
264{
William Lallemand8e8581e2020-10-20 17:36:46 +0200265 struct buffer *fp = NULL;
William Lallemand03c331c2020-05-13 10:10:01 +0200266 int ret = 1;
267
268 /* try to load the PEM */
269 if (ssl_sock_load_pem_into_ckch(path, NULL, ckch , err) != 0) {
270 goto end;
271 }
272
William Lallemand8e8581e2020-10-20 17:36:46 +0200273 fp = alloc_trash_chunk();
274 if (!fp) {
275 memprintf(err, "%sCan't allocate memory\n", err && *err ? *err : "");
276 goto end;
277 }
278
279 if (!chunk_strcpy(fp, path) || (b_data(fp) > MAXPATHLEN)) {
280 memprintf(err, "%s '%s' filename too long'.\n",
281 err && *err ? *err : "", fp->area);
282 ret = 1;
283 goto end;
284 }
285
William Lallemand089c1382020-10-23 17:35:12 +0200286 /* remove the ".crt" extension */
William Lallemand8e8581e2020-10-20 17:36:46 +0200287 if (global_ssl.extra_files_noext) {
288 char *ext;
289
290 /* look for the extension */
291 if ((ext = strrchr(fp->area, '.'))) {
William Lallemand8e8581e2020-10-20 17:36:46 +0200292
Tim Duesterhuse5ff1412021-01-02 22:31:53 +0100293 if (strcmp(ext, ".crt") == 0) {
William Lallemand8e8581e2020-10-20 17:36:46 +0200294 *ext = '\0';
William Lallemand089c1382020-10-23 17:35:12 +0200295 fp->data = strlen(fp->area);
296 }
William Lallemand8e8581e2020-10-20 17:36:46 +0200297 }
298
299 }
300
William Lallemand03c331c2020-05-13 10:10:01 +0200301 /* try to load an external private key if it wasn't in the PEM */
302 if ((ckch->key == NULL) && (global_ssl.extra_files & SSL_GF_KEY)) {
William Lallemand03c331c2020-05-13 10:10:01 +0200303 struct stat st;
304
William Lallemand8e8581e2020-10-20 17:36:46 +0200305
306 if (!chunk_strcat(fp, ".key") || (b_data(fp) > MAXPATHLEN)) {
307 memprintf(err, "%s '%s' filename too long'.\n",
308 err && *err ? *err : "", fp->area);
309 ret = 1;
310 goto end;
311 }
312
313 if (stat(fp->area, &st) == 0) {
314 if (ssl_sock_load_key_into_ckch(fp->area, NULL, ckch, err)) {
William Lallemand03c331c2020-05-13 10:10:01 +0200315 memprintf(err, "%s '%s' is present but cannot be read or parsed'.\n",
William Lallemand8e8581e2020-10-20 17:36:46 +0200316 err && *err ? *err : "", fp->area);
William Lallemand03c331c2020-05-13 10:10:01 +0200317 goto end;
318 }
319 }
William Lallemand03c331c2020-05-13 10:10:01 +0200320
William Lallemand8e8581e2020-10-20 17:36:46 +0200321 if (ckch->key == NULL) {
322 memprintf(err, "%sNo Private Key found in '%s'.\n", err && *err ? *err : "", fp->area);
323 goto end;
324 }
325 /* remove the added extension */
326 *(fp->area + fp->data - strlen(".key")) = '\0';
327 b_sub(fp, strlen(".key"));
William Lallemand03c331c2020-05-13 10:10:01 +0200328 }
329
330 if (!X509_check_private_key(ckch->cert, ckch->key)) {
331 memprintf(err, "%sinconsistencies between private key and certificate loaded '%s'.\n",
332 err && *err ? *err : "", path);
333 goto end;
334 }
335
Ilya Shipitsinc47d6762021-02-13 11:45:33 +0500336#ifdef HAVE_SSL_SCTL
William Lallemand03c331c2020-05-13 10:10:01 +0200337 /* try to load the sctl file */
338 if (global_ssl.extra_files & SSL_GF_SCTL) {
William Lallemand03c331c2020-05-13 10:10:01 +0200339 struct stat st;
340
William Lallemand8e8581e2020-10-20 17:36:46 +0200341 if (!chunk_strcat(fp, ".sctl") || b_data(fp) > MAXPATHLEN) {
342 memprintf(err, "%s '%s' filename too long'.\n",
343 err && *err ? *err : "", fp->area);
344 ret = 1;
345 goto end;
346 }
347
348 if (stat(fp->area, &st) == 0) {
349 if (ssl_sock_load_sctl_from_file(fp->area, NULL, ckch, err)) {
William Lallemand03c331c2020-05-13 10:10:01 +0200350 memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n",
William Lallemand8e8581e2020-10-20 17:36:46 +0200351 err && *err ? *err : "", fp->area);
William Lallemand03c331c2020-05-13 10:10:01 +0200352 ret = 1;
353 goto end;
354 }
355 }
William Lallemand8e8581e2020-10-20 17:36:46 +0200356 /* remove the added extension */
357 *(fp->area + fp->data - strlen(".sctl")) = '\0';
358 b_sub(fp, strlen(".sctl"));
William Lallemand03c331c2020-05-13 10:10:01 +0200359 }
360#endif
361
362 /* try to load an ocsp response file */
363 if (global_ssl.extra_files & SSL_GF_OCSP) {
William Lallemand03c331c2020-05-13 10:10:01 +0200364 struct stat st;
365
William Lallemand8e8581e2020-10-20 17:36:46 +0200366 if (!chunk_strcat(fp, ".ocsp") || b_data(fp) > MAXPATHLEN) {
367 memprintf(err, "%s '%s' filename too long'.\n",
368 err && *err ? *err : "", fp->area);
369 ret = 1;
370 goto end;
371 }
372
373 if (stat(fp->area, &st) == 0) {
374 if (ssl_sock_load_ocsp_response_from_file(fp->area, NULL, ckch, err)) {
William Lallemand03c331c2020-05-13 10:10:01 +0200375 ret = 1;
376 goto end;
377 }
378 }
William Lallemand8e8581e2020-10-20 17:36:46 +0200379 /* remove the added extension */
380 *(fp->area + fp->data - strlen(".ocsp")) = '\0';
381 b_sub(fp, strlen(".ocsp"));
William Lallemand03c331c2020-05-13 10:10:01 +0200382 }
383
384#ifndef OPENSSL_IS_BORINGSSL /* Useless for BoringSSL */
385 if (ckch->ocsp_response && (global_ssl.extra_files & SSL_GF_OCSP_ISSUER)) {
386 /* if no issuer was found, try to load an issuer from the .issuer */
387 if (!ckch->ocsp_issuer) {
388 struct stat st;
William Lallemand8e8581e2020-10-20 17:36:46 +0200389
390 if (!chunk_strcat(fp, ".issuer") || b_data(fp) > MAXPATHLEN) {
391 memprintf(err, "%s '%s' filename too long'.\n",
392 err && *err ? *err : "", fp->area);
393 ret = 1;
394 goto end;
395 }
William Lallemand03c331c2020-05-13 10:10:01 +0200396
William Lallemand8e8581e2020-10-20 17:36:46 +0200397 if (stat(fp->area, &st) == 0) {
398 if (ssl_sock_load_issuer_file_into_ckch(fp->area, NULL, ckch, err)) {
William Lallemand03c331c2020-05-13 10:10:01 +0200399 ret = 1;
400 goto end;
401 }
402
403 if (X509_check_issued(ckch->ocsp_issuer, ckch->cert) != X509_V_OK) {
404 memprintf(err, "%s '%s' is not an issuer'.\n",
William Lallemand8e8581e2020-10-20 17:36:46 +0200405 err && *err ? *err : "", fp->area);
William Lallemand03c331c2020-05-13 10:10:01 +0200406 ret = 1;
407 goto end;
408 }
409 }
William Lallemand8e8581e2020-10-20 17:36:46 +0200410 /* remove the added extension */
411 *(fp->area + fp->data - strlen(".issuer")) = '\0';
412 b_sub(fp, strlen(".issuer"));
William Lallemand03c331c2020-05-13 10:10:01 +0200413 }
414 }
415#endif
416
417 ret = 0;
418
419end:
420
421 ERR_clear_error();
422
423 /* Something went wrong in one of the reads */
424 if (ret != 0)
425 ssl_sock_free_cert_key_and_chain_contents(ckch);
426
William Lallemand8e8581e2020-10-20 17:36:46 +0200427 free_trash_chunk(fp);
428
William Lallemand03c331c2020-05-13 10:10:01 +0200429 return ret;
430}
431
432/*
433 * Try to load a private key file from a <path> or a buffer <buf>
434 *
435 * If it failed you should not attempt to use the ckch but free it.
436 *
437 * Return 0 on success or != 0 on failure
438 */
439int ssl_sock_load_key_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch , char **err)
440{
441 BIO *in = NULL;
442 int ret = 1;
443 EVP_PKEY *key = NULL;
444
445 if (buf) {
446 /* reading from a buffer */
447 in = BIO_new_mem_buf(buf, -1);
448 if (in == NULL) {
449 memprintf(err, "%sCan't allocate memory\n", err && *err ? *err : "");
450 goto end;
451 }
452
453 } else {
454 /* reading from a file */
455 in = BIO_new(BIO_s_file());
456 if (in == NULL)
457 goto end;
458
459 if (BIO_read_filename(in, path) <= 0)
460 goto end;
461 }
462
463 /* Read Private Key */
464 key = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
465 if (key == NULL) {
466 memprintf(err, "%sunable to load private key from file '%s'.\n",
467 err && *err ? *err : "", path);
468 goto end;
469 }
470
471 ret = 0;
472
473 SWAP(ckch->key, key);
474
475end:
476
477 ERR_clear_error();
478 if (in)
479 BIO_free(in);
480 if (key)
481 EVP_PKEY_free(key);
482
483 return ret;
484}
485
486/*
487 * Try to load a PEM file from a <path> or a buffer <buf>
488 * The PEM must contain at least a Certificate,
489 * It could contain a DH, a certificate chain and a PrivateKey.
490 *
491 * If it failed you should not attempt to use the ckch but free it.
492 *
493 * Return 0 on success or != 0 on failure
494 */
495int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch , char **err)
496{
497 BIO *in = NULL;
498 int ret = 1;
499 X509 *ca;
500 X509 *cert = NULL;
501 EVP_PKEY *key = NULL;
502 DH *dh = NULL;
503 STACK_OF(X509) *chain = NULL;
504
505 if (buf) {
506 /* reading from a buffer */
507 in = BIO_new_mem_buf(buf, -1);
508 if (in == NULL) {
509 memprintf(err, "%sCan't allocate memory\n", err && *err ? *err : "");
510 goto end;
511 }
512
513 } else {
514 /* reading from a file */
515 in = BIO_new(BIO_s_file());
516 if (in == NULL) {
517 memprintf(err, "%sCan't allocate memory\n", err && *err ? *err : "");
518 goto end;
519 }
520
521 if (BIO_read_filename(in, path) <= 0) {
522 memprintf(err, "%scannot open the file '%s'.\n",
523 err && *err ? *err : "", path);
524 goto end;
525 }
526 }
527
528 /* Read Private Key */
529 key = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
530 /* no need to check for errors here, because the private key could be loaded later */
531
532#ifndef OPENSSL_NO_DH
533 /* Seek back to beginning of file */
534 if (BIO_reset(in) == -1) {
535 memprintf(err, "%san error occurred while reading the file '%s'.\n",
536 err && *err ? *err : "", path);
537 goto end;
538 }
539
540 dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
541 /* no need to return an error there, dh is not mandatory */
542#endif
543
544 /* Seek back to beginning of file */
545 if (BIO_reset(in) == -1) {
546 memprintf(err, "%san error occurred while reading the file '%s'.\n",
547 err && *err ? *err : "", path);
548 goto end;
549 }
550
551 /* Read Certificate */
552 cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
553 if (cert == NULL) {
554 memprintf(err, "%sunable to load certificate from file '%s'.\n",
555 err && *err ? *err : "", path);
556 goto end;
557 }
558
559 /* Look for a Certificate Chain */
560 while ((ca = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
561 if (chain == NULL)
562 chain = sk_X509_new_null();
563 if (!sk_X509_push(chain, ca)) {
564 X509_free(ca);
565 goto end;
566 }
567 }
568
569 ret = ERR_get_error();
570 if (ret && (ERR_GET_LIB(ret) != ERR_LIB_PEM && ERR_GET_REASON(ret) != PEM_R_NO_START_LINE)) {
571 memprintf(err, "%sunable to load certificate chain from file '%s'.\n",
572 err && *err ? *err : "", path);
573 goto end;
574 }
575
576 /* once it loaded the PEM, it should remove everything else in the ckch */
577 if (ckch->ocsp_response) {
Willy Tarreau61cfdf42021-02-20 10:46:51 +0100578 ha_free(&ckch->ocsp_response->area);
579 ha_free(&ckch->ocsp_response);
William Lallemand03c331c2020-05-13 10:10:01 +0200580 }
581
582 if (ckch->sctl) {
Willy Tarreau61cfdf42021-02-20 10:46:51 +0100583 ha_free(&ckch->sctl->area);
584 ha_free(&ckch->sctl);
William Lallemand03c331c2020-05-13 10:10:01 +0200585 }
586
587 if (ckch->ocsp_issuer) {
588 X509_free(ckch->ocsp_issuer);
589 ckch->ocsp_issuer = NULL;
590 }
591
592 /* no error, fill ckch with new context, old context will be free at end: */
593 SWAP(ckch->key, key);
594 SWAP(ckch->dh, dh);
595 SWAP(ckch->cert, cert);
596 SWAP(ckch->chain, chain);
597
598 ret = 0;
599
600end:
601
602 ERR_clear_error();
603 if (in)
604 BIO_free(in);
605 if (key)
606 EVP_PKEY_free(key);
607 if (dh)
608 DH_free(dh);
609 if (cert)
610 X509_free(cert);
611 if (chain)
612 sk_X509_pop_free(chain, X509_free);
613
614 return ret;
615}
616
617/* Frees the contents of a cert_key_and_chain
618 */
619void ssl_sock_free_cert_key_and_chain_contents(struct cert_key_and_chain *ckch)
620{
621 if (!ckch)
622 return;
623
624 /* Free the certificate and set pointer to NULL */
625 if (ckch->cert)
626 X509_free(ckch->cert);
627 ckch->cert = NULL;
628
629 /* Free the key and set pointer to NULL */
630 if (ckch->key)
631 EVP_PKEY_free(ckch->key);
632 ckch->key = NULL;
633
634 /* Free each certificate in the chain */
635 if (ckch->chain)
636 sk_X509_pop_free(ckch->chain, X509_free);
637 ckch->chain = NULL;
638
639 if (ckch->dh)
640 DH_free(ckch->dh);
641 ckch->dh = NULL;
642
643 if (ckch->sctl) {
Willy Tarreau61cfdf42021-02-20 10:46:51 +0100644 ha_free(&ckch->sctl->area);
645 ha_free(&ckch->sctl);
William Lallemand03c331c2020-05-13 10:10:01 +0200646 }
647
648 if (ckch->ocsp_response) {
Willy Tarreau61cfdf42021-02-20 10:46:51 +0100649 ha_free(&ckch->ocsp_response->area);
650 ha_free(&ckch->ocsp_response);
William Lallemand03c331c2020-05-13 10:10:01 +0200651 }
652
653 if (ckch->ocsp_issuer)
654 X509_free(ckch->ocsp_issuer);
655 ckch->ocsp_issuer = NULL;
656}
657
658/*
659 *
660 * This function copy a cert_key_and_chain in memory
661 *
662 * It's used to try to apply changes on a ckch before committing them, because
663 * most of the time it's not possible to revert those changes
664 *
665 * Return a the dst or NULL
666 */
667struct cert_key_and_chain *ssl_sock_copy_cert_key_and_chain(struct cert_key_and_chain *src,
668 struct cert_key_and_chain *dst)
669{
William Lallemand6c096142021-02-23 14:45:45 +0100670 if (!src || !dst)
671 return NULL;
672
William Lallemand03c331c2020-05-13 10:10:01 +0200673 if (src->cert) {
674 dst->cert = src->cert;
675 X509_up_ref(src->cert);
676 }
677
678 if (src->key) {
679 dst->key = src->key;
680 EVP_PKEY_up_ref(src->key);
681 }
682
683 if (src->chain) {
684 dst->chain = X509_chain_up_ref(src->chain);
685 }
686
687 if (src->dh) {
688 DH_up_ref(src->dh);
689 dst->dh = src->dh;
690 }
691
692 if (src->sctl) {
693 struct buffer *sctl;
694
695 sctl = calloc(1, sizeof(*sctl));
696 if (!chunk_dup(sctl, src->sctl)) {
Willy Tarreau61cfdf42021-02-20 10:46:51 +0100697 ha_free(&sctl);
William Lallemand03c331c2020-05-13 10:10:01 +0200698 goto error;
699 }
700 dst->sctl = sctl;
701 }
702
703 if (src->ocsp_response) {
704 struct buffer *ocsp_response;
705
706 ocsp_response = calloc(1, sizeof(*ocsp_response));
707 if (!chunk_dup(ocsp_response, src->ocsp_response)) {
Willy Tarreau61cfdf42021-02-20 10:46:51 +0100708 ha_free(&ocsp_response);
William Lallemand03c331c2020-05-13 10:10:01 +0200709 goto error;
710 }
711 dst->ocsp_response = ocsp_response;
712 }
713
714 if (src->ocsp_issuer) {
715 X509_up_ref(src->ocsp_issuer);
716 dst->ocsp_issuer = src->ocsp_issuer;
717 }
718
719 return dst;
720
721error:
722
723 /* free everything */
724 ssl_sock_free_cert_key_and_chain_contents(dst);
725
726 return NULL;
727}
728
729/*
730 * return 0 on success or != 0 on failure
731 */
732int ssl_sock_load_issuer_file_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch, char **err)
733{
734 int ret = 1;
735 BIO *in = NULL;
736 X509 *issuer;
737
738 if (buf) {
739 /* reading from a buffer */
740 in = BIO_new_mem_buf(buf, -1);
741 if (in == NULL) {
742 memprintf(err, "%sCan't allocate memory\n", err && *err ? *err : "");
743 goto end;
744 }
745
746 } else {
747 /* reading from a file */
748 in = BIO_new(BIO_s_file());
749 if (in == NULL)
750 goto end;
751
752 if (BIO_read_filename(in, path) <= 0)
753 goto end;
754 }
755
756 issuer = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
757 if (!issuer) {
758 memprintf(err, "%s'%s' cannot be read or parsed'.\n",
759 err && *err ? *err : "", path);
760 goto end;
761 }
762 /* no error, fill ckch with new context, old context must be free */
763 if (ckch->ocsp_issuer)
764 X509_free(ckch->ocsp_issuer);
765 ckch->ocsp_issuer = issuer;
766 ret = 0;
767
768end:
769
770 ERR_clear_error();
771 if (in)
772 BIO_free(in);
773
774 return ret;
775}
776
777/******************** ckch_store functions ***********************************
778 * The ckch_store is a structure used to cache and index the SSL files used in
779 * configuration
780 */
781
782/*
783 * Free a ckch_store, its ckch, its instances and remove it from the ebtree
784 */
785void ckch_store_free(struct ckch_store *store)
786{
787 struct ckch_inst *inst, *inst_s;
788
789 if (!store)
790 return;
791
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200792 ssl_sock_free_cert_key_and_chain_contents(store->ckch);
William Lallemand03c331c2020-05-13 10:10:01 +0200793
Willy Tarreau61cfdf42021-02-20 10:46:51 +0100794 ha_free(&store->ckch);
William Lallemand03c331c2020-05-13 10:10:01 +0200795
796 list_for_each_entry_safe(inst, inst_s, &store->ckch_inst, by_ckchs) {
797 ckch_inst_free(inst);
798 }
799 ebmb_delete(&store->node);
800 free(store);
801}
802
803/*
804 * create and initialize a ckch_store
805 * <path> is the key name
806 * <nmemb> is the number of store->ckch objects to allocate
807 *
808 * Return a ckch_store or NULL upon failure.
809 */
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200810struct ckch_store *ckch_store_new(const char *filename)
William Lallemand03c331c2020-05-13 10:10:01 +0200811{
812 struct ckch_store *store;
813 int pathlen;
814
815 pathlen = strlen(filename);
816 store = calloc(1, sizeof(*store) + pathlen + 1);
817 if (!store)
818 return NULL;
819
William Lallemand03c331c2020-05-13 10:10:01 +0200820 memcpy(store->path, filename, pathlen + 1);
821
822 LIST_INIT(&store->ckch_inst);
823 LIST_INIT(&store->crtlist_entry);
824
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200825 store->ckch = calloc(1, sizeof(*store->ckch));
William Lallemand03c331c2020-05-13 10:10:01 +0200826 if (!store->ckch)
827 goto error;
828
829 return store;
830error:
831 ckch_store_free(store);
832 return NULL;
833}
834
835/* allocate and duplicate a ckch_store
836 * Return a new ckch_store or NULL */
837struct ckch_store *ckchs_dup(const struct ckch_store *src)
838{
839 struct ckch_store *dst;
840
William Lallemand6c096142021-02-23 14:45:45 +0100841 if (!src)
842 return NULL;
843
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200844 dst = ckch_store_new(src->path);
Eric Salama6ac61e32021-02-23 16:50:57 +0100845 if (!dst)
846 return NULL;
William Lallemand03c331c2020-05-13 10:10:01 +0200847
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200848 if (!ssl_sock_copy_cert_key_and_chain(src->ckch, dst->ckch))
849 goto error;
William Lallemand03c331c2020-05-13 10:10:01 +0200850
851 return dst;
852
853error:
854 ckch_store_free(dst);
855
856 return NULL;
857}
858
859/*
860 * lookup a path into the ckchs tree.
861 */
862struct ckch_store *ckchs_lookup(char *path)
863{
864 struct ebmb_node *eb;
865
866 eb = ebst_lookup(&ckchs_tree, path);
867 if (!eb)
868 return NULL;
869
870 return ebmb_entry(eb, struct ckch_store, node);
871}
872
873/*
874 * This function allocate a ckch_store and populate it with certificates from files.
875 */
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200876struct ckch_store *ckchs_load_cert_file(char *path, char **err)
William Lallemand03c331c2020-05-13 10:10:01 +0200877{
878 struct ckch_store *ckchs;
879
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200880 ckchs = ckch_store_new(path);
William Lallemand03c331c2020-05-13 10:10:01 +0200881 if (!ckchs) {
882 memprintf(err, "%sunable to allocate memory.\n", err && *err ? *err : "");
883 goto end;
884 }
William Lallemand03c331c2020-05-13 10:10:01 +0200885
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200886 if (ssl_sock_load_files_into_ckch(path, ckchs->ckch, err) == 1)
887 goto end;
William Lallemand03c331c2020-05-13 10:10:01 +0200888
William Lallemandbd8e6ed2020-09-16 16:08:08 +0200889 /* insert into the ckchs tree */
890 memcpy(ckchs->path, path, strlen(path) + 1);
891 ebst_insert(&ckchs_tree, &ckchs->node);
William Lallemand03c331c2020-05-13 10:10:01 +0200892 return ckchs;
893
894end:
895 ckch_store_free(ckchs);
896
897 return NULL;
898}
899
William Lallemandfa1d8b42020-05-13 15:46:10 +0200900
901/******************** ckch_inst functions ******************************/
902
903/* unlink a ckch_inst, free all SNIs, free the ckch_inst */
904/* The caller must use the lock of the bind_conf if used with inserted SNIs */
905void ckch_inst_free(struct ckch_inst *inst)
906{
907 struct sni_ctx *sni, *sni_s;
Remi Tricot-Le Breton4458b972021-02-19 17:41:55 +0100908 struct ckch_inst_link_ref *link_ref, *link_ref_s;
William Lallemandfa1d8b42020-05-13 15:46:10 +0200909
910 if (inst == NULL)
911 return;
912
913 list_for_each_entry_safe(sni, sni_s, &inst->sni_ctx, by_ckch_inst) {
914 SSL_CTX_free(sni->ctx);
Willy Tarreau2b718102021-04-21 07:32:39 +0200915 LIST_DELETE(&sni->by_ckch_inst);
William Lallemandfa1d8b42020-05-13 15:46:10 +0200916 ebmb_delete(&sni->name);
917 free(sni);
918 }
Remi Tricot-Le Bretonf3eedfe2021-01-25 17:19:44 +0100919 SSL_CTX_free(inst->ctx);
920 inst->ctx = NULL;
Willy Tarreau2b718102021-04-21 07:32:39 +0200921 LIST_DELETE(&inst->by_ckchs);
922 LIST_DELETE(&inst->by_crtlist_entry);
Remi Tricot-Le Breton4458b972021-02-19 17:41:55 +0100923
924 list_for_each_entry_safe(link_ref, link_ref_s, &inst->cafile_link_refs, list) {
925 LIST_DELETE(&link_ref->link->list);
926 LIST_DELETE(&link_ref->list);
927 free(link_ref);
928 }
929
William Lallemandfa1d8b42020-05-13 15:46:10 +0200930 free(inst);
931}
932
933/* Alloc and init a ckch_inst */
934struct ckch_inst *ckch_inst_new()
935{
936 struct ckch_inst *ckch_inst;
937
938 ckch_inst = calloc(1, sizeof *ckch_inst);
939 if (!ckch_inst)
940 return NULL;
941
942 LIST_INIT(&ckch_inst->sni_ctx);
943 LIST_INIT(&ckch_inst->by_ckchs);
944 LIST_INIT(&ckch_inst->by_crtlist_entry);
Remi Tricot-Le Breton4458b972021-02-19 17:41:55 +0100945 LIST_INIT(&ckch_inst->cafile_link_refs);
William Lallemandfa1d8b42020-05-13 15:46:10 +0200946
947 return ckch_inst;
948}
949
Remi Tricot-Le Bretonaf8820a2021-04-13 10:10:37 +0200950
951/******************** ssl_store functions ******************************/
Remi Tricot-Le Breton9f0c9362021-02-19 15:06:28 +0100952struct eb_root cafile_tree = EB_ROOT;
Remi Tricot-Le Bretonaf8820a2021-04-13 10:10:37 +0200953
Remi Tricot-Le Breton9f0c9362021-02-19 15:06:28 +0100954/*
955 * Returns the cafile_entry found in the cafile_tree indexed by the path 'path'.
956 * If 'oldest_entry' is 1, returns the "original" cafile_entry (since
957 * during a set cafile/commit cafile cycle there might be two entries for any
958 * given path, the original one and the new one set via the CLI but not
959 * committed yet).
960 */
Remi Tricot-Le Breton4458b972021-02-19 17:41:55 +0100961struct cafile_entry *ssl_store_get_cafile_entry(char *path, int oldest_entry)
Remi Tricot-Le Bretonaf8820a2021-04-13 10:10:37 +0200962{
Remi Tricot-Le Breton9f0c9362021-02-19 15:06:28 +0100963 struct cafile_entry *ca_e = NULL;
Remi Tricot-Le Bretonaf8820a2021-04-13 10:10:37 +0200964 struct ebmb_node *eb;
965
966 eb = ebst_lookup(&cafile_tree, path);
Remi Tricot-Le Breton9f0c9362021-02-19 15:06:28 +0100967 while (eb) {
Remi Tricot-Le Bretonaf8820a2021-04-13 10:10:37 +0200968 ca_e = ebmb_entry(eb, struct cafile_entry, node);
Remi Tricot-Le Breton9f0c9362021-02-19 15:06:28 +0100969 /* The ebst_lookup in a tree that has duplicates returns the
970 * oldest entry first. If we want the latest entry, we need to
971 * iterate over all the duplicates until we find the last one
972 * (in our case there should never be more than two entries for
973 * any given path). */
974 if (oldest_entry)
975 return ca_e;
976 eb = ebmb_next_dup(eb);
Remi Tricot-Le Bretonaf8820a2021-04-13 10:10:37 +0200977 }
Remi Tricot-Le Breton9f0c9362021-02-19 15:06:28 +0100978 return ca_e;
979}
980
Remi Tricot-Le Breton38c999b2021-02-23 16:28:43 +0100981int ssl_store_add_uncommitted_cafile_entry(struct cafile_entry *entry)
982{
983 return (ebst_insert(&cafile_tree, &entry->node) != &entry->node);
984}
985
Remi Tricot-Le Breton9f0c9362021-02-19 15:06:28 +0100986X509_STORE* ssl_store_get0_locations_file(char *path)
987{
988 struct cafile_entry *ca_e = ssl_store_get_cafile_entry(path, 0);
989
990 if (ca_e)
991 return ca_e->ca_store;
992
Remi Tricot-Le Bretonaf8820a2021-04-13 10:10:37 +0200993 return NULL;
994}
995
Remi Tricot-Le Breton5daff3c2021-02-22 15:54:55 +0100996/* Create a cafile_entry object, without adding it to the cafile_tree. */
Remi Tricot-Le Breton0bb48242021-04-16 17:59:23 +0200997struct cafile_entry *ssl_store_create_cafile_entry(char *path, X509_STORE *store, enum cafile_type type)
Remi Tricot-Le Breton5daff3c2021-02-22 15:54:55 +0100998{
999 struct cafile_entry *ca_e;
1000 int pathlen;
1001
1002 pathlen = strlen(path);
1003
1004 ca_e = calloc(1, sizeof(*ca_e) + pathlen + 1);
1005 if (ca_e) {
1006 memcpy(ca_e->path, path, pathlen + 1);
1007 ca_e->ca_store = store;
Remi Tricot-Le Breton0bb48242021-04-16 17:59:23 +02001008 ca_e->type = type;
Remi Tricot-Le Breton5daff3c2021-02-22 15:54:55 +01001009 LIST_INIT(&ca_e->ckch_inst_link);
1010 }
1011 return ca_e;
1012}
1013
1014/* Delete a cafile_entry. The caller is responsible from removing this entry
1015 * from the cafile_tree first if is was previously added into it. */
1016void ssl_store_delete_cafile_entry(struct cafile_entry *ca_e)
1017{
1018 struct ckch_inst_link *link, *link_s;
1019 if (!ca_e)
1020 return;
1021
1022 X509_STORE_free(ca_e->ca_store);
1023
1024 list_for_each_entry_safe(link, link_s, &ca_e->ckch_inst_link, list) {
1025 struct ckch_inst *inst = link->ckch_inst;
1026 struct ckch_inst_link_ref *link_ref, *link_ref_s;
1027 list_for_each_entry_safe(link_ref, link_ref_s, &inst->cafile_link_refs, list) {
1028 if (link_ref->link == link) {
1029 LIST_DELETE(&link_ref->list);
1030 free(link_ref);
1031 break;
1032 }
1033 }
1034 LIST_DELETE(&link->list);
1035 free(link);
1036 }
1037
1038 free(ca_e);
1039}
1040
Remi Tricot-Le Breton383fb142021-02-22 18:26:14 +01001041/*
1042 * Build a cafile_entry out of a buffer instead of out of a file.
1043 * This function is used when the "commit ssl ca-file" cli command is used.
1044 * It can parse CERTIFICATE sections as well as CRL ones.
1045 * Returns 0 in case of success, 1 otherwise.
1046 */
1047int ssl_store_load_ca_from_buf(struct cafile_entry *ca_e, char *cert_buf)
1048{
1049 int retval = 0;
1050
1051 if (!ca_e)
1052 return 1;
1053
1054 if (!ca_e->ca_store) {
1055 ca_e->ca_store = X509_STORE_new();
1056 if (ca_e->ca_store) {
1057 BIO *bio = BIO_new_mem_buf(cert_buf, strlen(cert_buf));
1058 if (bio) {
1059 X509_INFO *info;
1060 int i;
1061 STACK_OF(X509_INFO) *infos = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL);
1062 if (!infos)
1063 {
1064 BIO_free(bio);
1065 return 1;
1066 }
1067
1068 for (i = 0; i < sk_X509_INFO_num(infos) && !retval; i++) {
1069 info = sk_X509_INFO_value(infos, i);
1070 /* X509_STORE_add_cert and X509_STORE_add_crl return 1 on success */
1071 if (info->x509) {
1072 retval = !X509_STORE_add_cert(ca_e->ca_store, info->x509);
1073 }
1074 if (!retval && info->crl) {
1075 retval = !X509_STORE_add_crl(ca_e->ca_store, info->crl);
1076 }
1077 }
1078 retval = retval || (i != sk_X509_INFO_num(infos));
1079
1080 /* Cleanup */
1081 sk_X509_INFO_pop_free(infos, X509_INFO_free);
1082 BIO_free(bio);
1083 }
1084 }
1085 }
1086
1087 return retval;
1088}
1089
Remi Tricot-Le Breton0bb48242021-04-16 17:59:23 +02001090int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type)
Remi Tricot-Le Bretonaf8820a2021-04-13 10:10:37 +02001091{
1092 X509_STORE *store = ssl_store_get0_locations_file(path);
1093
1094 /* If this function is called by the CLI, we should not call the
1095 * X509_STORE_load_locations function because it performs forbidden disk
1096 * accesses. */
1097 if (!store && create_if_none) {
1098 struct cafile_entry *ca_e;
1099 store = X509_STORE_new();
1100 if (X509_STORE_load_locations(store, path, NULL)) {
Remi Tricot-Le Breton0bb48242021-04-16 17:59:23 +02001101 ca_e = ssl_store_create_cafile_entry(path, store, type);
Remi Tricot-Le Bretonaf8820a2021-04-13 10:10:37 +02001102 if (ca_e) {
Remi Tricot-Le Bretonaf8820a2021-04-13 10:10:37 +02001103 ebst_insert(&cafile_tree, &ca_e->node);
1104 }
1105 } else {
1106 X509_STORE_free(store);
1107 store = NULL;
1108 }
1109 }
1110 return (store != NULL);
1111}
1112
1113
William Lallemandda8584c2020-05-14 10:14:37 +02001114/*************************** CLI commands ***********************/
1115
1116/* Type of SSL payloads that can be updated over the CLI */
1117
1118enum {
1119 CERT_TYPE_PEM = 0,
1120 CERT_TYPE_KEY,
1121#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
1122 CERT_TYPE_OCSP,
1123#endif
1124 CERT_TYPE_ISSUER,
Ilya Shipitsinc47d6762021-02-13 11:45:33 +05001125#ifdef HAVE_SSL_SCTL
William Lallemandda8584c2020-05-14 10:14:37 +02001126 CERT_TYPE_SCTL,
1127#endif
1128 CERT_TYPE_MAX,
1129};
1130
1131struct {
1132 const char *ext;
1133 int type;
1134 int (*load)(const char *path, char *payload, struct cert_key_and_chain *ckch, char **err);
1135 /* add a parsing callback */
1136} cert_exts[CERT_TYPE_MAX+1] = {
1137 [CERT_TYPE_PEM] = { "", CERT_TYPE_PEM, &ssl_sock_load_pem_into_ckch }, /* default mode, no extensions */
1138 [CERT_TYPE_KEY] = { "key", CERT_TYPE_KEY, &ssl_sock_load_key_into_ckch },
1139#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
1140 [CERT_TYPE_OCSP] = { "ocsp", CERT_TYPE_OCSP, &ssl_sock_load_ocsp_response_from_file },
1141#endif
Ilya Shipitsinc47d6762021-02-13 11:45:33 +05001142#ifdef HAVE_SSL_SCTL
William Lallemandda8584c2020-05-14 10:14:37 +02001143 [CERT_TYPE_SCTL] = { "sctl", CERT_TYPE_SCTL, &ssl_sock_load_sctl_from_file },
1144#endif
1145 [CERT_TYPE_ISSUER] = { "issuer", CERT_TYPE_ISSUER, &ssl_sock_load_issuer_file_into_ckch },
1146 [CERT_TYPE_MAX] = { NULL, CERT_TYPE_MAX, NULL },
1147};
1148
1149
1150/* release function of the `show ssl cert' command */
1151static void cli_release_show_cert(struct appctx *appctx)
1152{
1153 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
1154}
1155
1156/* IO handler of "show ssl cert <filename>" */
1157static int cli_io_handler_show_cert(struct appctx *appctx)
1158{
1159 struct buffer *trash = alloc_trash_chunk();
1160 struct ebmb_node *node;
1161 struct stream_interface *si = appctx->owner;
1162 struct ckch_store *ckchs;
1163
1164 if (trash == NULL)
1165 return 1;
1166
1167 if (!appctx->ctx.ssl.old_ckchs) {
1168 if (ckchs_transaction.old_ckchs) {
1169 ckchs = ckchs_transaction.old_ckchs;
1170 chunk_appendf(trash, "# transaction\n");
William Lallemand5685ccf2020-09-16 16:12:25 +02001171 chunk_appendf(trash, "*%s\n", ckchs->path);
William Lallemandda8584c2020-05-14 10:14:37 +02001172 }
1173 }
1174
1175 if (!appctx->ctx.cli.p0) {
1176 chunk_appendf(trash, "# filename\n");
1177 node = ebmb_first(&ckchs_tree);
1178 } else {
1179 node = &((struct ckch_store *)appctx->ctx.cli.p0)->node;
1180 }
1181 while (node) {
1182 ckchs = ebmb_entry(node, struct ckch_store, node);
William Lallemand5685ccf2020-09-16 16:12:25 +02001183 chunk_appendf(trash, "%s\n", ckchs->path);
William Lallemandda8584c2020-05-14 10:14:37 +02001184
1185 node = ebmb_next(node);
1186 if (ci_putchk(si_ic(si), trash) == -1) {
1187 si_rx_room_blk(si);
1188 goto yield;
1189 }
1190 }
1191
1192 appctx->ctx.cli.p0 = NULL;
1193 free_trash_chunk(trash);
1194 return 1;
1195yield:
1196
1197 free_trash_chunk(trash);
1198 appctx->ctx.cli.p0 = ckchs;
1199 return 0; /* should come back */
1200}
1201
1202/*
1203 * Extract and format the DNS SAN extensions and copy result into a chuink
1204 * Return 0;
1205 */
1206#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
1207static int ssl_sock_get_san_oneline(X509 *cert, struct buffer *out)
1208{
1209 int i;
1210 char *str;
1211 STACK_OF(GENERAL_NAME) *names = NULL;
1212
1213 names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
1214 if (names) {
1215 for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
1216 GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i);
1217 if (i > 0)
1218 chunk_appendf(out, ", ");
1219 if (name->type == GEN_DNS) {
1220 if (ASN1_STRING_to_UTF8((unsigned char **)&str, name->d.dNSName) >= 0) {
1221 chunk_appendf(out, "DNS:%s", str);
1222 OPENSSL_free(str);
1223 }
1224 }
1225 }
1226 sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
1227 }
1228 return 0;
1229}
1230#endif
1231
Remi Tricot-Le Breton4458b972021-02-19 17:41:55 +01001232/*
1233 * Build the ckch_inst_link that will be chained in the CA file entry and the
1234 * corresponding ckch_inst_link_ref that will be chained in the ckch instance.
1235 * Return 0 in case of success.
1236 */
1237static int do_chain_inst_and_cafile(struct cafile_entry *cafile_entry, struct ckch_inst *ckch_inst)
1238{
1239 struct ckch_inst_link *new_link;
1240 if (!LIST_ISEMPTY(&cafile_entry->ckch_inst_link)) {
1241 struct ckch_inst_link *link = LIST_ELEM(cafile_entry->ckch_inst_link.n,
1242 typeof(link), list);
1243 /* Do not add multiple references to the same
1244 * instance in a cafile_entry */
1245 if (link->ckch_inst == ckch_inst) {
1246 return 1;
1247 }
1248 }
1249
1250 new_link = calloc(1, sizeof(*new_link));
1251 if (new_link) {
1252 struct ckch_inst_link_ref *new_link_ref = calloc(1, sizeof(*new_link_ref));
1253 if (!new_link_ref) {
1254 free(new_link);
1255 return 1;
1256 }
1257
1258 new_link->ckch_inst = ckch_inst;
1259 new_link_ref->link = new_link;
1260 LIST_INIT(&new_link->list);
1261 LIST_INIT(&new_link_ref->list);
1262
1263 LIST_APPEND(&cafile_entry->ckch_inst_link, &new_link->list);
1264 LIST_APPEND(&ckch_inst->cafile_link_refs, &new_link_ref->list);
1265 }
1266
1267 return 0;
1268}
1269
1270
1271/*
1272 * Link a CA file tree entry to the ckch instance that uses it.
1273 * To determine if and which CA file tree entries need to be linked to the
1274 * instance, we follow the same logic performed in ssl_sock_prepare_ctx when
1275 * processing the verify option.
1276 * This function works for a frontend as well as for a backend, depending on the
1277 * configuration parameters given (bind_conf or server).
1278 */
1279void ckch_inst_add_cafile_link(struct ckch_inst *ckch_inst, struct bind_conf *bind_conf,
1280 struct ssl_bind_conf *ssl_conf, const struct server *srv)
1281{
1282 int verify = SSL_VERIFY_NONE;
1283
1284 if (srv) {
1285
1286 if (global.ssl_server_verify == SSL_SERVER_VERIFY_REQUIRED)
1287 verify = SSL_VERIFY_PEER;
1288 switch (srv->ssl_ctx.verify) {
1289 case SSL_SOCK_VERIFY_NONE:
1290 verify = SSL_VERIFY_NONE;
1291 break;
1292 case SSL_SOCK_VERIFY_REQUIRED:
1293 verify = SSL_VERIFY_PEER;
1294 break;
1295 }
1296 }
1297 else {
1298 switch ((ssl_conf && ssl_conf->verify) ? ssl_conf->verify : bind_conf->ssl_conf.verify) {
1299 case SSL_SOCK_VERIFY_NONE:
1300 verify = SSL_VERIFY_NONE;
1301 break;
1302 case SSL_SOCK_VERIFY_OPTIONAL:
1303 verify = SSL_VERIFY_PEER;
1304 break;
1305 case SSL_SOCK_VERIFY_REQUIRED:
1306 verify = SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
1307 break;
1308 }
1309 }
1310
1311 if (verify & SSL_VERIFY_PEER) {
1312 struct cafile_entry *ca_file_entry = NULL;
1313 struct cafile_entry *ca_verify_file_entry = NULL;
Remi Tricot-Le Bretonf81c70c2021-04-20 16:54:21 +02001314 struct cafile_entry *crl_file_entry = NULL;
Remi Tricot-Le Breton4458b972021-02-19 17:41:55 +01001315 if (srv) {
1316 if (srv->ssl_ctx.ca_file) {
1317 ca_file_entry = ssl_store_get_cafile_entry(srv->ssl_ctx.ca_file, 0);
1318
1319 }
Remi Tricot-Le Bretonf81c70c2021-04-20 16:54:21 +02001320 if (srv->ssl_ctx.crl_file) {
1321 crl_file_entry = ssl_store_get_cafile_entry(srv->ssl_ctx.crl_file, 0);
1322 }
Remi Tricot-Le Breton4458b972021-02-19 17:41:55 +01001323 }
1324 else {
1325 char *ca_file = (ssl_conf && ssl_conf->ca_file) ? ssl_conf->ca_file : bind_conf->ssl_conf.ca_file;
1326 char *ca_verify_file = (ssl_conf && ssl_conf->ca_verify_file) ? ssl_conf->ca_verify_file : bind_conf->ssl_conf.ca_verify_file;
Remi Tricot-Le Bretonf81c70c2021-04-20 16:54:21 +02001327 char *crl_file = (ssl_conf && ssl_conf->crl_file) ? ssl_conf->crl_file : bind_conf->ssl_conf.crl_file;
Remi Tricot-Le Breton4458b972021-02-19 17:41:55 +01001328
1329 if (ca_file)
1330 ca_file_entry = ssl_store_get_cafile_entry(ca_file, 0);
1331 if (ca_verify_file)
1332 ca_verify_file_entry = ssl_store_get_cafile_entry(ca_verify_file, 0);
Remi Tricot-Le Bretonf81c70c2021-04-20 16:54:21 +02001333 if (crl_file)
1334 crl_file_entry = ssl_store_get_cafile_entry(crl_file, 0);
Remi Tricot-Le Breton4458b972021-02-19 17:41:55 +01001335 }
1336
1337 if (ca_file_entry) {
1338 /* If we have a ckch instance that is not already in the
1339 * cafile_entry's list, add it to it. */
1340 if (do_chain_inst_and_cafile(ca_file_entry, ckch_inst))
1341 return;
1342
1343 }
1344 if (ca_verify_file_entry && (ca_file_entry != ca_verify_file_entry)) {
1345 /* If we have a ckch instance that is not already in the
1346 * cafile_entry's list, add it to it. */
1347 if (do_chain_inst_and_cafile(ca_verify_file_entry, ckch_inst))
1348 return;
1349 }
Remi Tricot-Le Bretonf81c70c2021-04-20 16:54:21 +02001350 if (crl_file_entry) {
1351 /* If we have a ckch instance that is not already in the
1352 * cafile_entry's list, add it to it. */
1353 if (do_chain_inst_and_cafile(crl_file_entry, ckch_inst))
1354 return;
1355 }
Remi Tricot-Le Breton4458b972021-02-19 17:41:55 +01001356 }
1357}
1358
William Lallemandda8584c2020-05-14 10:14:37 +02001359
1360
Remi Tricot-Le Breton523f0e42021-03-16 10:11:44 +01001361static int show_cert_detail(X509 *cert, STACK_OF(X509) *chain, struct buffer *out)
William Lallemandda8584c2020-05-14 10:14:37 +02001362{
William Lallemandda8584c2020-05-14 10:14:37 +02001363 BIO *bio = NULL;
Remi Tricot-Le Breton523f0e42021-03-16 10:11:44 +01001364 struct buffer *tmp = alloc_trash_chunk();
William Lallemandda8584c2020-05-14 10:14:37 +02001365 int i;
Remi Tricot-Le Breton523f0e42021-03-16 10:11:44 +01001366 int write = -1;
1367 unsigned int len = 0;
1368 X509_NAME *name = NULL;
William Lallemandda8584c2020-05-14 10:14:37 +02001369
Remi Tricot-Le Breton523f0e42021-03-16 10:11:44 +01001370 if (!tmp)
1371 return -1;
William Lallemandda8584c2020-05-14 10:14:37 +02001372
Remi Tricot-Le Breton523f0e42021-03-16 10:11:44 +01001373 if (!cert)
William Lallemand5685ccf2020-09-16 16:12:25 +02001374 goto end;
William Lallemandda8584c2020-05-14 10:14:37 +02001375
William Lallemand5685ccf2020-09-16 16:12:25 +02001376 if (chain == NULL) {
1377 struct issuer_chain *issuer;
Remi Tricot-Le Breton523f0e42021-03-16 10:11:44 +01001378 issuer = ssl_get0_issuer_chain(cert);
William Lallemand5685ccf2020-09-16 16:12:25 +02001379 if (issuer) {
1380 chain = issuer->chain;
1381 chunk_appendf(out, "Chain Filename: ");
1382 chunk_appendf(out, "%s\n", issuer->path);
William Lallemandda8584c2020-05-14 10:14:37 +02001383 }
William Lallemand5685ccf2020-09-16 16:12:25 +02001384 }
1385 chunk_appendf(out, "Serial: ");
Remi Tricot-Le Breton523f0e42021-03-16 10:11:44 +01001386 if (ssl_sock_get_serial(cert, tmp) == -1)
William Lallemand5685ccf2020-09-16 16:12:25 +02001387 goto end;
1388 dump_binary(out, tmp->area, tmp->data);
1389 chunk_appendf(out, "\n");
William Lallemandda8584c2020-05-14 10:14:37 +02001390
William Lallemand5685ccf2020-09-16 16:12:25 +02001391 chunk_appendf(out, "notBefore: ");
1392 chunk_reset(tmp);
1393 if ((bio = BIO_new(BIO_s_mem())) == NULL)
1394 goto end;
Remi Tricot-Le Breton523f0e42021-03-16 10:11:44 +01001395 if (ASN1_TIME_print(bio, X509_getm_notBefore(cert)) == 0)
William Lallemand5685ccf2020-09-16 16:12:25 +02001396 goto end;
1397 write = BIO_read(bio, tmp->area, tmp->size-1);
1398 tmp->area[write] = '\0';
1399 BIO_free(bio);
1400 bio = NULL;
1401 chunk_appendf(out, "%s\n", tmp->area);
William Lallemandda8584c2020-05-14 10:14:37 +02001402
William Lallemand5685ccf2020-09-16 16:12:25 +02001403 chunk_appendf(out, "notAfter: ");
1404 chunk_reset(tmp);
1405 if ((bio = BIO_new(BIO_s_mem())) == NULL)
1406 goto end;
Remi Tricot-Le Breton523f0e42021-03-16 10:11:44 +01001407 if (ASN1_TIME_print(bio, X509_getm_notAfter(cert)) == 0)
William Lallemand5685ccf2020-09-16 16:12:25 +02001408 goto end;
1409 if ((write = BIO_read(bio, tmp->area, tmp->size-1)) <= 0)
1410 goto end;
1411 tmp->area[write] = '\0';
1412 BIO_free(bio);
1413 bio = NULL;
1414 chunk_appendf(out, "%s\n", tmp->area);
William Lallemandda8584c2020-05-14 10:14:37 +02001415
1416#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
William Lallemand5685ccf2020-09-16 16:12:25 +02001417 chunk_appendf(out, "Subject Alternative Name: ");
Remi Tricot-Le Breton523f0e42021-03-16 10:11:44 +01001418 if (ssl_sock_get_san_oneline(cert, out) == -1)
William Lallemand5685ccf2020-09-16 16:12:25 +02001419 goto end;
1420 *(out->area + out->data) = '\0';
1421 chunk_appendf(out, "\n");
William Lallemandda8584c2020-05-14 10:14:37 +02001422#endif
William Lallemand5685ccf2020-09-16 16:12:25 +02001423 chunk_reset(tmp);
1424 chunk_appendf(out, "Algorithm: ");
Remi Tricot-Le Breton523f0e42021-03-16 10:11:44 +01001425 if (cert_get_pkey_algo(cert, tmp) == 0)
William Lallemand5685ccf2020-09-16 16:12:25 +02001426 goto end;
1427 chunk_appendf(out, "%s\n", tmp->area);
William Lallemandda8584c2020-05-14 10:14:37 +02001428
William Lallemand5685ccf2020-09-16 16:12:25 +02001429 chunk_reset(tmp);
1430 chunk_appendf(out, "SHA1 FingerPrint: ");
Remi Tricot-Le Breton523f0e42021-03-16 10:11:44 +01001431 if (X509_digest(cert, EVP_sha1(), (unsigned char *) tmp->area, &len) == 0)
William Lallemand5685ccf2020-09-16 16:12:25 +02001432 goto end;
1433 tmp->data = len;
1434 dump_binary(out, tmp->area, tmp->data);
1435 chunk_appendf(out, "\n");
William Lallemandda8584c2020-05-14 10:14:37 +02001436
William Lallemand5685ccf2020-09-16 16:12:25 +02001437 chunk_appendf(out, "Subject: ");
Remi Tricot-Le Breton523f0e42021-03-16 10:11:44 +01001438 if ((name = X509_get_subject_name(cert)) == NULL)
William Lallemand5685ccf2020-09-16 16:12:25 +02001439 goto end;
1440 if ((ssl_sock_get_dn_oneline(name, tmp)) == -1)
1441 goto end;
1442 *(tmp->area + tmp->data) = '\0';
1443 chunk_appendf(out, "%s\n", tmp->area);
1444
1445 chunk_appendf(out, "Issuer: ");
Remi Tricot-Le Breton523f0e42021-03-16 10:11:44 +01001446 if ((name = X509_get_issuer_name(cert)) == NULL)
William Lallemand5685ccf2020-09-16 16:12:25 +02001447 goto end;
1448 if ((ssl_sock_get_dn_oneline(name, tmp)) == -1)
1449 goto end;
1450 *(tmp->area + tmp->data) = '\0';
1451 chunk_appendf(out, "%s\n", tmp->area);
1452
1453 /* Displays subject of each certificate in the chain */
1454 for (i = 0; i < sk_X509_num(chain); i++) {
1455 X509 *ca = sk_X509_value(chain, i);
1456
1457 chunk_appendf(out, "Chain Subject: ");
1458 if ((name = X509_get_subject_name(ca)) == NULL)
William Lallemandda8584c2020-05-14 10:14:37 +02001459 goto end;
1460 if ((ssl_sock_get_dn_oneline(name, tmp)) == -1)
1461 goto end;
1462 *(tmp->area + tmp->data) = '\0';
1463 chunk_appendf(out, "%s\n", tmp->area);
1464
William Lallemand5685ccf2020-09-16 16:12:25 +02001465 chunk_appendf(out, "Chain Issuer: ");
1466 if ((name = X509_get_issuer_name(ca)) == NULL)
William Lallemandda8584c2020-05-14 10:14:37 +02001467 goto end;
1468 if ((ssl_sock_get_dn_oneline(name, tmp)) == -1)
1469 goto end;
1470 *(tmp->area + tmp->data) = '\0';
1471 chunk_appendf(out, "%s\n", tmp->area);
William Lallemandda8584c2020-05-14 10:14:37 +02001472 }
1473
1474end:
Remi Tricot-Le Breton523f0e42021-03-16 10:11:44 +01001475 if (bio)
1476 BIO_free(bio);
1477 free_trash_chunk(tmp);
1478
1479 return 0;
1480}
1481
Remi Tricot-Le Breton3faf0cb2021-06-10 18:10:32 +02001482#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
Remi Tricot-Le Bretonda968f62021-06-10 13:51:14 +02001483/*
1484 * Build the OCSP tree entry's key for a given ckch_store.
1485 * Returns a negative value in case of error.
1486 */
1487static int ckch_store_build_certid(struct ckch_store *ckch_store, unsigned char certid[128], unsigned int *key_length)
1488{
1489 OCSP_RESPONSE *resp;
1490 OCSP_BASICRESP *bs = NULL;
1491 OCSP_SINGLERESP *sr;
1492 OCSP_CERTID *id;
1493 unsigned char *p = NULL;
1494
1495 if (!key_length)
1496 return -1;
1497
1498 *key_length = 0;
1499
1500 if (!ckch_store->ckch->ocsp_response)
1501 return 0;
1502
1503 p = (unsigned char *) ckch_store->ckch->ocsp_response->area;
1504
1505 resp = d2i_OCSP_RESPONSE(NULL, (const unsigned char **)&p,
1506 ckch_store->ckch->ocsp_response->data);
1507 if (!resp) {
1508 goto end;
1509 }
1510
1511 bs = OCSP_response_get1_basic(resp);
1512 if (!bs) {
1513 goto end;
1514 }
1515
1516 sr = OCSP_resp_get0(bs, 0);
1517 if (!sr) {
1518 goto end;
1519 }
1520
1521 id = (OCSP_CERTID*)OCSP_SINGLERESP_get0_id(sr);
1522
1523 p = certid;
1524 *key_length = i2d_OCSP_CERTID(id, &p);
1525
1526end:
1527 return *key_length > 0;
1528}
1529#endif
1530
1531/*
1532 * Dump the OCSP certificate key (if it exists) of certificate <ckch> into
1533 * buffer <out>.
1534 * Returns 0 in case of success.
1535 */
1536static int ckch_store_show_ocsp_certid(struct ckch_store *ckch_store, struct buffer *out)
1537{
Remi Tricot-Le Breton3faf0cb2021-06-10 18:10:32 +02001538#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
Remi Tricot-Le Bretonda968f62021-06-10 13:51:14 +02001539 unsigned char key[OCSP_MAX_CERTID_ASN1_LENGTH] = {};
1540 unsigned int key_length = 0;
1541 int i;
1542
1543 if (ckch_store_build_certid(ckch_store, (unsigned char*)key, &key_length) >= 0) {
1544 /* Dump the CERTID info */
1545 chunk_appendf(out, "OCSP Response Key: ");
1546 for (i = 0; i < key_length; ++i) {
1547 chunk_appendf(out, "%02x", key[i]);
1548 }
1549 chunk_appendf(out, "\n");
1550 }
1551#endif
1552
1553 return 0;
1554}
1555
Remi Tricot-Le Breton523f0e42021-03-16 10:11:44 +01001556
1557/* IO handler of the details "show ssl cert <filename>" */
1558static int cli_io_handler_show_cert_detail(struct appctx *appctx)
1559{
1560 struct stream_interface *si = appctx->owner;
1561 struct ckch_store *ckchs = appctx->ctx.cli.p0;
1562 struct buffer *out = alloc_trash_chunk();
1563 int retval = 0;
1564
1565 if (!out)
1566 goto end_no_putchk;
1567
1568 chunk_appendf(out, "Filename: ");
1569 if (ckchs == ckchs_transaction.new_ckchs)
1570 chunk_appendf(out, "*");
1571 chunk_appendf(out, "%s\n", ckchs->path);
1572
1573 chunk_appendf(out, "Status: ");
1574 if (ckchs->ckch->cert == NULL)
1575 chunk_appendf(out, "Empty\n");
1576 else if (LIST_ISEMPTY(&ckchs->ckch_inst))
1577 chunk_appendf(out, "Unused\n");
1578 else
1579 chunk_appendf(out, "Used\n");
1580
1581 retval = show_cert_detail(ckchs->ckch->cert, ckchs->ckch->chain, out);
1582 if (retval < 0)
1583 goto end_no_putchk;
1584 else if (retval)
1585 goto end;
1586
Remi Tricot-Le Bretonda968f62021-06-10 13:51:14 +02001587 ckch_store_show_ocsp_certid(ckchs, out);
1588
Remi Tricot-Le Breton523f0e42021-03-16 10:11:44 +01001589end:
William Lallemandda8584c2020-05-14 10:14:37 +02001590 if (ci_putchk(si_ic(si), out) == -1) {
1591 si_rx_room_blk(si);
1592 goto yield;
1593 }
1594
1595end_no_putchk:
William Lallemandda8584c2020-05-14 10:14:37 +02001596 free_trash_chunk(out);
1597 return 1;
1598yield:
William Lallemandda8584c2020-05-14 10:14:37 +02001599 free_trash_chunk(out);
1600 return 0; /* should come back */
1601}
1602
Remi Tricot-Le Breton6056e612021-06-10 13:51:15 +02001603
1604/* IO handler of the details "show ssl cert <filename.ocsp>" */
1605static int cli_io_handler_show_cert_ocsp_detail(struct appctx *appctx)
1606{
Remi Tricot-Le Breton3faf0cb2021-06-10 18:10:32 +02001607#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
Remi Tricot-Le Breton6056e612021-06-10 13:51:15 +02001608 struct stream_interface *si = appctx->owner;
1609 struct ckch_store *ckchs = appctx->ctx.cli.p0;
1610 struct buffer *out = alloc_trash_chunk();
1611 int from_transaction = appctx->ctx.cli.i0;
1612
1613 if (!out)
1614 goto end_no_putchk;
1615
1616 /* If we try to display an ongoing transaction's OCSP response, we
1617 * need to dump the ckch's ocsp_response buffer directly.
1618 * Otherwise, we must rebuild the certificate's certid in order to
1619 * look for the current OCSP response in the tree. */
1620 if (from_transaction && ckchs->ckch->ocsp_response) {
1621 ssl_ocsp_response_print(ckchs->ckch->ocsp_response, out);
1622 }
1623 else {
1624 unsigned char key[OCSP_MAX_CERTID_ASN1_LENGTH] = {};
1625 unsigned int key_length = 0;
1626
1627 if (ckch_store_build_certid(ckchs, (unsigned char*)key, &key_length) < 0)
1628 goto end_no_putchk;
1629
1630 ssl_get_ocspresponse_detail(key, out);
1631 }
1632
1633 if (ci_putchk(si_ic(si), out) == -1) {
1634 si_rx_room_blk(si);
1635 goto yield;
1636 }
1637
1638end_no_putchk:
1639 free_trash_chunk(out);
1640 return 1;
1641yield:
1642 free_trash_chunk(out);
1643 return 0; /* should come back */
1644#else
1645 return cli_err(appctx, "HAProxy was compiled against a version of OpenSSL that doesn't support OCSP stapling.\n");
1646#endif
1647}
1648
William Lallemandda8584c2020-05-14 10:14:37 +02001649/* parsing function for 'show ssl cert [certfile]' */
1650static int cli_parse_show_cert(char **args, char *payload, struct appctx *appctx, void *private)
1651{
1652 struct ckch_store *ckchs;
1653
1654 if (!cli_has_level(appctx, ACCESS_LVL_OPER))
1655 return cli_err(appctx, "Can't allocate memory!\n");
1656
1657 /* The operations on the CKCH architecture are locked so we can
1658 * manipulate ckch_store and ckch_inst */
1659 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
1660 return cli_err(appctx, "Can't show!\nOperations on certificates are currently locked!\n");
1661
1662 /* check if there is a certificate to lookup */
1663 if (*args[3]) {
Remi Tricot-Le Breton6056e612021-06-10 13:51:15 +02001664 int show_ocsp_detail = 0;
1665 int from_transaction = 0;
1666 char *end;
1667
1668 /* We manage the special case "certname.ocsp" through which we
1669 * can show the details of an OCSP response. */
1670 end = strrchr(args[3], '.');
1671 if (end && strcmp(end+1, "ocsp") == 0) {
1672 *end = '\0';
1673 show_ocsp_detail = 1;
1674 }
1675
William Lallemandda8584c2020-05-14 10:14:37 +02001676 if (*args[3] == '*') {
Remi Tricot-Le Breton6056e612021-06-10 13:51:15 +02001677 from_transaction = 1;
William Lallemandda8584c2020-05-14 10:14:37 +02001678 if (!ckchs_transaction.new_ckchs)
1679 goto error;
1680
1681 ckchs = ckchs_transaction.new_ckchs;
1682
Tim Duesterhuse5ff1412021-01-02 22:31:53 +01001683 if (strcmp(args[3] + 1, ckchs->path) != 0)
William Lallemandda8584c2020-05-14 10:14:37 +02001684 goto error;
1685
1686 } else {
1687 if ((ckchs = ckchs_lookup(args[3])) == NULL)
1688 goto error;
1689
1690 }
1691
William Lallemandda8584c2020-05-14 10:14:37 +02001692 appctx->ctx.cli.p0 = ckchs;
1693 /* use the IO handler that shows details */
Remi Tricot-Le Breton6056e612021-06-10 13:51:15 +02001694 if (show_ocsp_detail) {
1695 appctx->ctx.cli.i0 = from_transaction;
1696 appctx->io_handler = cli_io_handler_show_cert_ocsp_detail;
1697 }
1698 else
1699 appctx->io_handler = cli_io_handler_show_cert_detail;
William Lallemandda8584c2020-05-14 10:14:37 +02001700 }
1701
1702 return 0;
1703
1704error:
1705 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
1706 return cli_err(appctx, "Can't display the certificate: Not found or the certificate is a bundle!\n");
1707}
1708
1709/* release function of the `set ssl cert' command, free things and unlock the spinlock */
1710static void cli_release_commit_cert(struct appctx *appctx)
1711{
1712 struct ckch_store *new_ckchs;
1713
1714 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
1715
1716 if (appctx->st2 != SETCERT_ST_FIN) {
1717 /* free every new sni_ctx and the new store, which are not in the trees so no spinlock there */
1718 new_ckchs = appctx->ctx.ssl.new_ckchs;
1719
1720 /* if the allocation failed, we need to free everything from the temporary list */
1721 ckch_store_free(new_ckchs);
1722 }
1723}
1724
Remi Tricot-Le Bretonbfadc022021-02-24 12:20:48 +01001725
1726/*
1727 * Rebuild a new instance 'new_inst' based on an old instance 'ckchi' and a
1728 * specific ckch_store.
1729 * Returns 0 in case of success, 1 otherwise.
1730 */
1731static int ckch_inst_rebuild(struct ckch_store *ckch_store, struct ckch_inst *ckchi,
1732 struct ckch_inst **new_inst, char **err)
1733{
1734 int retval = 0;
1735 int errcode = 0;
1736 struct sni_ctx *sc0, *sc0s;
1737 char **sni_filter = NULL;
1738 int fcount = 0;
1739
1740 if (ckchi->crtlist_entry) {
1741 sni_filter = ckchi->crtlist_entry->filters;
1742 fcount = ckchi->crtlist_entry->fcount;
1743 }
1744
1745 if (ckchi->is_server_instance)
1746 errcode |= ckch_inst_new_load_srv_store(ckch_store->path, ckch_store, new_inst, err);
1747 else
1748 errcode |= ckch_inst_new_load_store(ckch_store->path, ckch_store, ckchi->bind_conf, ckchi->ssl_conf, sni_filter, fcount, new_inst, err);
1749
1750 if (errcode & ERR_CODE)
1751 return 1;
1752
1753 /* if the previous ckchi was used as the default */
1754 if (ckchi->is_default)
1755 (*new_inst)->is_default = 1;
1756
1757 (*new_inst)->is_server_instance = ckchi->is_server_instance;
1758 (*new_inst)->server = ckchi->server;
1759 /* Create a new SSL_CTX and link it to the new instance. */
1760 if ((*new_inst)->is_server_instance) {
1761 retval = ssl_sock_prep_srv_ctx_and_inst(ckchi->server, (*new_inst)->ctx, (*new_inst));
1762 if (retval)
1763 return 1;
1764 }
1765
1766 /* create the link to the crtlist_entry */
1767 (*new_inst)->crtlist_entry = ckchi->crtlist_entry;
1768
1769 /* we need to initialize the SSL_CTX generated */
1770 /* this iterate on the newly generated SNIs in the new instance to prepare their SSL_CTX */
1771 list_for_each_entry_safe(sc0, sc0s, &(*new_inst)->sni_ctx, by_ckch_inst) {
1772 if (!sc0->order) { /* we initialized only the first SSL_CTX because it's the same in the other sni_ctx's */
1773 errcode |= ssl_sock_prep_ctx_and_inst(ckchi->bind_conf, ckchi->ssl_conf, sc0->ctx, *new_inst, err);
1774 if (errcode & ERR_CODE)
1775 return 1;
1776 }
1777 }
1778
1779 return 0;
1780}
1781
1782/*
1783 * Load all the new SNIs of a newly built ckch instance in the trees, or replace
1784 * a server's main ckch instance.
1785 */
1786static void __ssl_sock_load_new_ckch_instance(struct ckch_inst *ckchi)
1787{
1788 /* The bind_conf will be null on server ckch_instances. */
1789 if (ckchi->is_server_instance) {
1790 int i;
1791 /* a lock is needed here since we have to free the SSL cache */
1792 HA_RWLOCK_WRLOCK(SSL_SERVER_LOCK, &ckchi->server->ssl_ctx.lock);
1793 /* free the server current SSL_CTX */
1794 SSL_CTX_free(ckchi->server->ssl_ctx.ctx);
1795 /* Actual ssl context update */
1796 SSL_CTX_up_ref(ckchi->ctx);
1797 ckchi->server->ssl_ctx.ctx = ckchi->ctx;
1798 ckchi->server->ssl_ctx.inst = ckchi;
1799
1800 /* flush the session cache of the server */
1801 for (i = 0; i < global.nbthread; i++) {
William Lallemandce990332021-11-23 15:15:09 +01001802 ha_free(&ckchi->server->ssl_ctx.reused_sess[i].sni);
Remi Tricot-Le Bretonbfadc022021-02-24 12:20:48 +01001803 ha_free(&ckchi->server->ssl_ctx.reused_sess[i].ptr);
1804 }
1805 HA_RWLOCK_WRUNLOCK(SSL_SERVER_LOCK, &ckchi->server->ssl_ctx.lock);
1806
1807 } else {
1808 HA_RWLOCK_WRLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock);
1809 ssl_sock_load_cert_sni(ckchi, ckchi->bind_conf);
1810 HA_RWLOCK_WRUNLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock);
1811 }
1812}
1813
1814/*
1815 * Delete a ckch instance that was replaced after a CLI command.
1816 */
1817static void __ckch_inst_free_locked(struct ckch_inst *ckchi)
1818{
1819 if (ckchi->is_server_instance) {
1820 /* no lock for servers */
1821 ckch_inst_free(ckchi);
1822 } else {
1823 struct bind_conf __maybe_unused *bind_conf = ckchi->bind_conf;
1824
1825 HA_RWLOCK_WRLOCK(SNI_LOCK, &bind_conf->sni_lock);
1826 ckch_inst_free(ckchi);
1827 HA_RWLOCK_WRUNLOCK(SNI_LOCK, &bind_conf->sni_lock);
1828 }
1829}
1830
1831
William Lallemandda8584c2020-05-14 10:14:37 +02001832/*
1833 * This function tries to create the new ckch_inst and their SNIs
1834 */
1835static int cli_io_handler_commit_cert(struct appctx *appctx)
1836{
1837 struct stream_interface *si = appctx->owner;
1838 int y = 0;
1839 char *err = NULL;
William Lallemandda8584c2020-05-14 10:14:37 +02001840 struct ckch_store *old_ckchs, *new_ckchs = NULL;
1841 struct ckch_inst *ckchi, *ckchis;
1842 struct buffer *trash = alloc_trash_chunk();
William Lallemandda8584c2020-05-14 10:14:37 +02001843 struct crtlist_entry *entry;
1844
1845 if (trash == NULL)
1846 goto error;
1847
1848 if (unlikely(si_ic(si)->flags & (CF_WRITE_ERROR|CF_SHUTW)))
1849 goto error;
1850
1851 while (1) {
1852 switch (appctx->st2) {
1853 case SETCERT_ST_INIT:
1854 /* This state just print the update message */
1855 chunk_printf(trash, "Committing %s", ckchs_transaction.path);
1856 if (ci_putchk(si_ic(si), trash) == -1) {
1857 si_rx_room_blk(si);
1858 goto yield;
1859 }
1860 appctx->st2 = SETCERT_ST_GEN;
1861 /* fallthrough */
1862 case SETCERT_ST_GEN:
1863 /*
1864 * This state generates the ckch instances with their
1865 * sni_ctxs and SSL_CTX.
1866 *
1867 * Since the SSL_CTX generation can be CPU consumer, we
1868 * yield every 10 instances.
1869 */
1870
1871 old_ckchs = appctx->ctx.ssl.old_ckchs;
1872 new_ckchs = appctx->ctx.ssl.new_ckchs;
1873
1874 if (!new_ckchs)
1875 continue;
1876
1877 /* get the next ckchi to regenerate */
1878 ckchi = appctx->ctx.ssl.next_ckchi;
1879 /* we didn't start yet, set it to the first elem */
1880 if (ckchi == NULL)
1881 ckchi = LIST_ELEM(old_ckchs->ckch_inst.n, typeof(ckchi), by_ckchs);
1882
1883 /* walk through the old ckch_inst and creates new ckch_inst using the updated ckchs */
1884 list_for_each_entry_from(ckchi, &old_ckchs->ckch_inst, by_ckchs) {
1885 struct ckch_inst *new_inst;
William Lallemandda8584c2020-05-14 10:14:37 +02001886
1887 /* it takes a lot of CPU to creates SSL_CTXs, so we yield every 10 CKCH instances */
1888 if (y >= 10) {
1889 /* save the next ckchi to compute */
1890 appctx->ctx.ssl.next_ckchi = ckchi;
1891 goto yield;
1892 }
1893
Remi Tricot-Le Bretonbfadc022021-02-24 12:20:48 +01001894 if (ckch_inst_rebuild(new_ckchs, ckchi, &new_inst, &err))
William Lallemandda8584c2020-05-14 10:14:37 +02001895 goto error;
1896
William Lallemandda8584c2020-05-14 10:14:37 +02001897 /* display one dot per new instance */
1898 chunk_appendf(trash, ".");
1899 /* link the new ckch_inst to the duplicate */
Willy Tarreau2b718102021-04-21 07:32:39 +02001900 LIST_APPEND(&new_ckchs->ckch_inst, &new_inst->by_ckchs);
William Lallemandda8584c2020-05-14 10:14:37 +02001901 y++;
1902 }
1903 appctx->st2 = SETCERT_ST_INSERT;
1904 /* fallthrough */
1905 case SETCERT_ST_INSERT:
1906 /* The generation is finished, we can insert everything */
1907
1908 old_ckchs = appctx->ctx.ssl.old_ckchs;
1909 new_ckchs = appctx->ctx.ssl.new_ckchs;
1910
1911 if (!new_ckchs)
1912 continue;
1913
1914 /* get the list of crtlist_entry in the old store, and update the pointers to the store */
1915 LIST_SPLICE(&new_ckchs->crtlist_entry, &old_ckchs->crtlist_entry);
1916 list_for_each_entry(entry, &new_ckchs->crtlist_entry, by_ckch_store) {
1917 ebpt_delete(&entry->node);
1918 /* change the ptr and reinsert the node */
1919 entry->node.key = new_ckchs;
1920 ebpt_insert(&entry->crtlist->entries, &entry->node);
1921 }
1922
William Lallemanda55685b2020-12-15 14:57:46 +01001923 /* insert the new ckch_insts in the crtlist_entry */
1924 list_for_each_entry(ckchi, &new_ckchs->ckch_inst, by_ckchs) {
1925 if (ckchi->crtlist_entry)
Willy Tarreau2b718102021-04-21 07:32:39 +02001926 LIST_INSERT(&ckchi->crtlist_entry->ckch_inst, &ckchi->by_crtlist_entry);
William Lallemanda55685b2020-12-15 14:57:46 +01001927 }
1928
William Lallemandda8584c2020-05-14 10:14:37 +02001929 /* First, we insert every new SNIs in the trees, also replace the default_ctx */
1930 list_for_each_entry_safe(ckchi, ckchis, &new_ckchs->ckch_inst, by_ckchs) {
Remi Tricot-Le Bretonbfadc022021-02-24 12:20:48 +01001931 __ssl_sock_load_new_ckch_instance(ckchi);
William Lallemandda8584c2020-05-14 10:14:37 +02001932 }
1933
1934 /* delete the old sni_ctx, the old ckch_insts and the ckch_store */
1935 list_for_each_entry_safe(ckchi, ckchis, &old_ckchs->ckch_inst, by_ckchs) {
Remi Tricot-Le Bretonbfadc022021-02-24 12:20:48 +01001936 __ckch_inst_free_locked(ckchi);
William Lallemandda8584c2020-05-14 10:14:37 +02001937 }
1938
1939 /* Replace the old ckchs by the new one */
1940 ckch_store_free(old_ckchs);
1941 ebst_insert(&ckchs_tree, &new_ckchs->node);
1942 appctx->st2 = SETCERT_ST_FIN;
1943 /* fallthrough */
1944 case SETCERT_ST_FIN:
1945 /* we achieved the transaction, we can set everything to NULL */
Willy Tarreau61cfdf42021-02-20 10:46:51 +01001946 ha_free(&ckchs_transaction.path);
William Lallemandda8584c2020-05-14 10:14:37 +02001947 ckchs_transaction.new_ckchs = NULL;
1948 ckchs_transaction.old_ckchs = NULL;
1949 goto end;
1950 }
1951 }
1952end:
1953
1954 chunk_appendf(trash, "\n");
William Lallemandda8584c2020-05-14 10:14:37 +02001955 chunk_appendf(trash, "Success!\n");
1956 if (ci_putchk(si_ic(si), trash) == -1)
1957 si_rx_room_blk(si);
1958 free_trash_chunk(trash);
1959 /* success: call the release function and don't come back */
1960 return 1;
1961yield:
1962 /* store the state */
1963 if (ci_putchk(si_ic(si), trash) == -1)
1964 si_rx_room_blk(si);
1965 free_trash_chunk(trash);
1966 si_rx_endp_more(si); /* let's come back later */
1967 return 0; /* should come back */
1968
1969error:
1970 /* spin unlock and free are done in the release function */
1971 if (trash) {
1972 chunk_appendf(trash, "\n%sFailed!\n", err);
1973 if (ci_putchk(si_ic(si), trash) == -1)
1974 si_rx_room_blk(si);
1975 free_trash_chunk(trash);
1976 }
1977 /* error: call the release function and don't come back */
1978 return 1;
1979}
1980
1981/*
1982 * Parsing function of 'commit ssl cert'
1983 */
1984static int cli_parse_commit_cert(char **args, char *payload, struct appctx *appctx, void *private)
1985{
1986 char *err = NULL;
1987
1988 if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
1989 return 1;
1990
1991 if (!*args[3])
1992 return cli_err(appctx, "'commit ssl cert expects a filename\n");
1993
1994 /* The operations on the CKCH architecture are locked so we can
1995 * manipulate ckch_store and ckch_inst */
1996 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
1997 return cli_err(appctx, "Can't commit the certificate!\nOperations on certificates are currently locked!\n");
1998
1999 if (!ckchs_transaction.path) {
2000 memprintf(&err, "No ongoing transaction! !\n");
2001 goto error;
2002 }
2003
2004 if (strcmp(ckchs_transaction.path, args[3]) != 0) {
2005 memprintf(&err, "The ongoing transaction is about '%s' but you are trying to set '%s'\n", ckchs_transaction.path, args[3]);
2006 goto error;
2007 }
2008
William Lallemand5685ccf2020-09-16 16:12:25 +02002009 /* if a certificate is here, a private key must be here too */
2010 if (ckchs_transaction.new_ckchs->ckch->cert && !ckchs_transaction.new_ckchs->ckch->key) {
2011 memprintf(&err, "The transaction must contain at least a certificate and a private key!\n");
2012 goto error;
2013 }
William Lallemanda9419522020-06-24 16:26:41 +02002014
William Lallemand5685ccf2020-09-16 16:12:25 +02002015 if (!X509_check_private_key(ckchs_transaction.new_ckchs->ckch->cert, ckchs_transaction.new_ckchs->ckch->key)) {
2016 memprintf(&err, "inconsistencies between private key and certificate loaded '%s'.\n", ckchs_transaction.path);
2017 goto error;
William Lallemandda8584c2020-05-14 10:14:37 +02002018 }
2019
2020 /* init the appctx structure */
2021 appctx->st2 = SETCERT_ST_INIT;
2022 appctx->ctx.ssl.next_ckchi = NULL;
2023 appctx->ctx.ssl.new_ckchs = ckchs_transaction.new_ckchs;
2024 appctx->ctx.ssl.old_ckchs = ckchs_transaction.old_ckchs;
2025
2026 /* we don't unlock there, it will be unlock after the IO handler, in the release handler */
2027 return 0;
2028
2029error:
2030
2031 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
2032 err = memprintf(&err, "%sCan't commit %s!\n", err ? err : "", args[3]);
2033
2034 return cli_dynerr(appctx, err);
2035}
2036
2037
2038
2039
2040/*
2041 * Parsing function of `set ssl cert`, it updates or creates a temporary ckch.
2042 */
2043static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx, void *private)
2044{
2045 struct ckch_store *new_ckchs = NULL;
2046 struct ckch_store *old_ckchs = NULL;
2047 char *err = NULL;
2048 int i;
William Lallemandda8584c2020-05-14 10:14:37 +02002049 int errcode = 0;
2050 char *end;
2051 int type = CERT_TYPE_PEM;
2052 struct cert_key_and_chain *ckch;
2053 struct buffer *buf;
2054
2055 if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
2056 return 1;
2057
William Lallemandda8584c2020-05-14 10:14:37 +02002058 if (!*args[3] || !payload)
2059 return cli_err(appctx, "'set ssl cert expects a filename and a certificate as a payload\n");
2060
2061 /* The operations on the CKCH architecture are locked so we can
2062 * manipulate ckch_store and ckch_inst */
2063 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
2064 return cli_err(appctx, "Can't update the certificate!\nOperations on certificates are currently locked!\n");
2065
William Lallemand5ba80d62021-05-04 16:17:27 +02002066 if ((buf = alloc_trash_chunk()) == NULL) {
2067 memprintf(&err, "%sCan't allocate memory\n", err ? err : "");
2068 errcode |= ERR_ALERT | ERR_FATAL;
2069 goto end;
2070 }
William Lallemande5ff4ad2020-06-08 09:40:37 +02002071
William Lallemandda8584c2020-05-14 10:14:37 +02002072 if (!chunk_strcpy(buf, args[3])) {
2073 memprintf(&err, "%sCan't allocate memory\n", err ? err : "");
2074 errcode |= ERR_ALERT | ERR_FATAL;
2075 goto end;
2076 }
2077
2078 /* check which type of file we want to update */
2079 for (i = 0; cert_exts[i].type < CERT_TYPE_MAX; i++) {
2080 end = strrchr(buf->area, '.');
Tim Duesterhuse5ff1412021-01-02 22:31:53 +01002081 if (end && *cert_exts[i].ext && (strcmp(end + 1, cert_exts[i].ext) == 0)) {
William Lallemandda8584c2020-05-14 10:14:37 +02002082 *end = '\0';
William Lallemand089c1382020-10-23 17:35:12 +02002083 buf->data = strlen(buf->area);
William Lallemandda8584c2020-05-14 10:14:37 +02002084 type = cert_exts[i].type;
2085 break;
2086 }
2087 }
2088
2089 appctx->ctx.ssl.old_ckchs = NULL;
2090 appctx->ctx.ssl.new_ckchs = NULL;
2091
2092 /* if there is an ongoing transaction */
2093 if (ckchs_transaction.path) {
William Lallemandda8584c2020-05-14 10:14:37 +02002094 /* if there is an ongoing transaction, check if this is the same file */
2095 if (strcmp(ckchs_transaction.path, buf->area) != 0) {
William Lallemand089c1382020-10-23 17:35:12 +02002096 /* we didn't find the transaction, must try more cases below */
2097
2098 /* if the del-ext option is activated we should try to take a look at a ".crt" too. */
2099 if (type != CERT_TYPE_PEM && global_ssl.extra_files_noext) {
2100 if (!chunk_strcat(buf, ".crt")) {
2101 memprintf(&err, "%sCan't allocate memory\n", err ? err : "");
2102 errcode |= ERR_ALERT | ERR_FATAL;
2103 goto end;
2104 }
2105
2106 if (strcmp(ckchs_transaction.path, buf->area) != 0) {
2107 /* remove .crt of the error message */
2108 *(b_orig(buf) + b_data(buf) + strlen(".crt")) = '\0';
2109 b_sub(buf, strlen(".crt"));
2110
2111 memprintf(&err, "The ongoing transaction is about '%s' but you are trying to set '%s'\n", ckchs_transaction.path, buf->area);
2112 errcode |= ERR_ALERT | ERR_FATAL;
2113 goto end;
2114 }
2115 }
William Lallemandda8584c2020-05-14 10:14:37 +02002116 }
2117
2118 appctx->ctx.ssl.old_ckchs = ckchs_transaction.new_ckchs;
2119
2120 } else {
William Lallemandda8584c2020-05-14 10:14:37 +02002121
William Lallemand95fefa12020-09-09 12:01:33 +02002122 /* lookup for the certificate in the tree */
2123 appctx->ctx.ssl.old_ckchs = ckchs_lookup(buf->area);
William Lallemand089c1382020-10-23 17:35:12 +02002124
2125 if (!appctx->ctx.ssl.old_ckchs) {
2126 /* if the del-ext option is activated we should try to take a look at a ".crt" too. */
2127 if (type != CERT_TYPE_PEM && global_ssl.extra_files_noext) {
2128 if (!chunk_strcat(buf, ".crt")) {
2129 memprintf(&err, "%sCan't allocate memory\n", err ? err : "");
2130 errcode |= ERR_ALERT | ERR_FATAL;
2131 goto end;
2132 }
2133 appctx->ctx.ssl.old_ckchs = ckchs_lookup(buf->area);
2134 }
2135 }
William Lallemandda8584c2020-05-14 10:14:37 +02002136 }
2137
2138 if (!appctx->ctx.ssl.old_ckchs) {
2139 memprintf(&err, "%sCan't replace a certificate which is not referenced by the configuration!\n",
2140 err ? err : "");
2141 errcode |= ERR_ALERT | ERR_FATAL;
2142 goto end;
2143 }
2144
2145 if (!appctx->ctx.ssl.path) {
2146 /* this is a new transaction, set the path of the transaction */
2147 appctx->ctx.ssl.path = strdup(appctx->ctx.ssl.old_ckchs->path);
2148 if (!appctx->ctx.ssl.path) {
2149 memprintf(&err, "%sCan't allocate memory\n", err ? err : "");
2150 errcode |= ERR_ALERT | ERR_FATAL;
2151 goto end;
2152 }
2153 }
2154
2155 old_ckchs = appctx->ctx.ssl.old_ckchs;
2156
2157 /* duplicate the ckch store */
2158 new_ckchs = ckchs_dup(old_ckchs);
2159 if (!new_ckchs) {
2160 memprintf(&err, "%sCannot allocate memory!\n",
2161 err ? err : "");
2162 errcode |= ERR_ALERT | ERR_FATAL;
2163 goto end;
2164 }
2165
William Lallemand95fefa12020-09-09 12:01:33 +02002166 ckch = new_ckchs->ckch;
William Lallemandda8584c2020-05-14 10:14:37 +02002167
2168 /* appply the change on the duplicate */
2169 if (cert_exts[type].load(buf->area, payload, ckch, &err) != 0) {
2170 memprintf(&err, "%sCan't load the payload\n", err ? err : "");
2171 errcode |= ERR_ALERT | ERR_FATAL;
2172 goto end;
2173 }
2174
2175 appctx->ctx.ssl.new_ckchs = new_ckchs;
2176
2177 /* we succeed, we can save the ckchs in the transaction */
2178
2179 /* if there wasn't a transaction, update the old ckchs */
2180 if (!ckchs_transaction.old_ckchs) {
2181 ckchs_transaction.old_ckchs = appctx->ctx.ssl.old_ckchs;
2182 ckchs_transaction.path = appctx->ctx.ssl.path;
2183 err = memprintf(&err, "Transaction created for certificate %s!\n", ckchs_transaction.path);
2184 } else {
2185 err = memprintf(&err, "Transaction updated for certificate %s!\n", ckchs_transaction.path);
2186
2187 }
2188
2189 /* free the previous ckchs if there was a transaction */
2190 ckch_store_free(ckchs_transaction.new_ckchs);
2191
2192 ckchs_transaction.new_ckchs = appctx->ctx.ssl.new_ckchs;
2193
2194
2195 /* creates the SNI ctxs later in the IO handler */
2196
2197end:
2198 free_trash_chunk(buf);
2199
2200 if (errcode & ERR_CODE) {
2201
2202 ckch_store_free(appctx->ctx.ssl.new_ckchs);
2203 appctx->ctx.ssl.new_ckchs = NULL;
2204
2205 appctx->ctx.ssl.old_ckchs = NULL;
2206
Willy Tarreau61cfdf42021-02-20 10:46:51 +01002207 ha_free(&appctx->ctx.ssl.path);
William Lallemandda8584c2020-05-14 10:14:37 +02002208
2209 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
2210 return cli_dynerr(appctx, memprintf(&err, "%sCan't update %s!\n", err ? err : "", args[3]));
2211 } else {
2212
2213 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
2214 return cli_dynmsg(appctx, LOG_NOTICE, err);
2215 }
2216 /* TODO: handle the ERR_WARN which are not handled because of the io_handler */
2217}
2218
2219/* parsing function of 'abort ssl cert' */
2220static int cli_parse_abort_cert(char **args, char *payload, struct appctx *appctx, void *private)
2221{
2222 char *err = NULL;
2223
2224 if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
2225 return 1;
2226
2227 if (!*args[3])
2228 return cli_err(appctx, "'abort ssl cert' expects a filename\n");
2229
2230 /* The operations on the CKCH architecture are locked so we can
2231 * manipulate ckch_store and ckch_inst */
2232 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
2233 return cli_err(appctx, "Can't abort!\nOperations on certificates are currently locked!\n");
2234
2235 if (!ckchs_transaction.path) {
2236 memprintf(&err, "No ongoing transaction!\n");
2237 goto error;
2238 }
2239
2240 if (strcmp(ckchs_transaction.path, args[3]) != 0) {
2241 memprintf(&err, "The ongoing transaction is about '%s' but you are trying to abort a transaction for '%s'\n", ckchs_transaction.path, args[3]);
2242 goto error;
2243 }
2244
2245 /* Only free the ckchs there, because the SNI and instances were not generated yet */
2246 ckch_store_free(ckchs_transaction.new_ckchs);
2247 ckchs_transaction.new_ckchs = NULL;
William Lallemandda8584c2020-05-14 10:14:37 +02002248 ckchs_transaction.old_ckchs = NULL;
Willy Tarreau61cfdf42021-02-20 10:46:51 +01002249 ha_free(&ckchs_transaction.path);
William Lallemandda8584c2020-05-14 10:14:37 +02002250
2251 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
2252
2253 err = memprintf(&err, "Transaction aborted for certificate '%s'!\n", args[3]);
2254 return cli_dynmsg(appctx, LOG_NOTICE, err);
2255
2256error:
2257 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
2258
2259 return cli_dynerr(appctx, err);
2260}
2261
2262/* parsing function of 'new ssl cert' */
2263static int cli_parse_new_cert(char **args, char *payload, struct appctx *appctx, void *private)
2264{
2265 struct ckch_store *store;
2266 char *err = NULL;
2267 char *path;
2268
2269 if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
2270 return 1;
2271
2272 if (!*args[3])
2273 return cli_err(appctx, "'new ssl cert' expects a filename\n");
2274
2275 path = args[3];
2276
2277 /* The operations on the CKCH architecture are locked so we can
2278 * manipulate ckch_store and ckch_inst */
2279 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
2280 return cli_err(appctx, "Can't create a certificate!\nOperations on certificates are currently locked!\n");
2281
2282 store = ckchs_lookup(path);
2283 if (store != NULL) {
2284 memprintf(&err, "Certificate '%s' already exists!\n", path);
2285 store = NULL; /* we don't want to free it */
2286 goto error;
2287 }
2288 /* we won't support multi-certificate bundle here */
William Lallemandbd8e6ed2020-09-16 16:08:08 +02002289 store = ckch_store_new(path);
William Lallemandda8584c2020-05-14 10:14:37 +02002290 if (!store) {
2291 memprintf(&err, "unable to allocate memory.\n");
2292 goto error;
2293 }
2294
2295 /* insert into the ckchs tree */
2296 ebst_insert(&ckchs_tree, &store->node);
2297 memprintf(&err, "New empty certificate store '%s'!\n", args[3]);
2298
2299 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
2300 return cli_dynmsg(appctx, LOG_NOTICE, err);
2301error:
2302 free(store);
2303 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
2304 return cli_dynerr(appctx, err);
2305}
2306
2307/* parsing function of 'del ssl cert' */
2308static int cli_parse_del_cert(char **args, char *payload, struct appctx *appctx, void *private)
2309{
2310 struct ckch_store *store;
2311 char *err = NULL;
2312 char *filename;
2313
2314 if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
2315 return 1;
2316
2317 if (!*args[3])
2318 return cli_err(appctx, "'del ssl cert' expects a certificate name\n");
2319
2320 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
2321 return cli_err(appctx, "Can't delete the certificate!\nOperations on certificates are currently locked!\n");
2322
2323 filename = args[3];
2324
2325 store = ckchs_lookup(filename);
2326 if (store == NULL) {
2327 memprintf(&err, "certificate '%s' doesn't exist!\n", filename);
2328 goto error;
2329 }
2330 if (!LIST_ISEMPTY(&store->ckch_inst)) {
2331 memprintf(&err, "certificate '%s' in use, can't be deleted!\n", filename);
2332 goto error;
2333 }
2334
2335 ebmb_delete(&store->node);
2336 ckch_store_free(store);
2337
2338 memprintf(&err, "Certificate '%s' deleted!\n", filename);
2339
2340 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
2341 return cli_dynmsg(appctx, LOG_NOTICE, err);
2342
2343error:
2344 memprintf(&err, "Can't remove the certificate: %s\n", err ? err : "");
2345 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
2346 return cli_dynerr(appctx, err);
2347}
2348
Remi Tricot-Le Bretona32a68b2021-02-24 17:35:43 +01002349
Remi Tricot-Le Breton9f40fe02021-03-16 16:21:27 +01002350
2351/* parsing function of 'new ssl ca-file' */
2352static int cli_parse_new_cafile(char **args, char *payload, struct appctx *appctx, void *private)
2353{
2354 struct cafile_entry *cafile_entry;
2355 char *err = NULL;
2356 char *path;
2357
2358 if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
2359 return 1;
2360
2361 if (!*args[3])
2362 return cli_err(appctx, "'new ssl ca-file' expects a filename\n");
2363
2364 path = args[3];
2365
2366 /* The operations on the CKCH architecture are locked so we can
2367 * manipulate ckch_store and ckch_inst */
2368 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
2369 return cli_err(appctx, "Can't create a CA file!\nOperations on certificates are currently locked!\n");
2370
2371 cafile_entry = ssl_store_get_cafile_entry(path, 0);
2372 if (cafile_entry) {
2373 memprintf(&err, "CA file '%s' already exists!\n", path);
2374 goto error;
2375 }
2376
2377 cafile_entry = ssl_store_create_cafile_entry(path, NULL, CAFILE_CERT);
2378 if (!cafile_entry) {
2379 memprintf(&err, "%sCannot allocate memory!\n",
2380 err ? err : "");
2381 goto error;
2382 }
2383
2384 /* Add the newly created cafile_entry to the tree so that
2385 * any new ckch instance created from now can use it. */
2386 if (ssl_store_add_uncommitted_cafile_entry(cafile_entry))
2387 goto error;
2388
2389 memprintf(&err, "New CA file created '%s'!\n", path);
2390
2391 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
2392 return cli_dynmsg(appctx, LOG_NOTICE, err);
2393error:
2394 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
2395 return cli_dynerr(appctx, err);
2396}
2397
Remi Tricot-Le Bretona32a68b2021-02-24 17:35:43 +01002398/*
2399 * Parsing function of `set ssl ca-file`
2400 */
2401static int cli_parse_set_cafile(char **args, char *payload, struct appctx *appctx, void *private)
2402{
2403 char *err = NULL;
2404 int errcode = 0;
2405 struct buffer *buf;
2406
2407 if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
2408 return 1;
2409
2410 if (!*args[3] || !payload)
2411 return cli_err(appctx, "'set ssl ca-file expects a filename and CAs as a payload\n");
2412
2413 /* The operations on the CKCH architecture are locked so we can
2414 * manipulate ckch_store and ckch_inst */
2415 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
2416 return cli_err(appctx, "Can't update the CA file!\nOperations on certificates are currently locked!\n");
2417
2418 if ((buf = alloc_trash_chunk()) == NULL) {
2419 memprintf(&err, "%sCan't allocate memory\n", err ? err : "");
2420 errcode |= ERR_ALERT | ERR_FATAL;
2421 goto end;
2422 }
2423
2424 if (!chunk_strcpy(buf, args[3])) {
2425 memprintf(&err, "%sCan't allocate memory\n", err ? err : "");
2426 errcode |= ERR_ALERT | ERR_FATAL;
2427 goto end;
2428 }
2429
2430 appctx->ctx.ssl.old_cafile_entry = NULL;
2431 appctx->ctx.ssl.new_cafile_entry = NULL;
2432
2433 /* if there is an ongoing transaction */
2434 if (cafile_transaction.path) {
2435 /* if there is an ongoing transaction, check if this is the same file */
2436 if (strcmp(cafile_transaction.path, buf->area) != 0) {
2437 memprintf(&err, "The ongoing transaction is about '%s' but you are trying to set '%s'\n", cafile_transaction.path, buf->area);
2438 errcode |= ERR_ALERT | ERR_FATAL;
2439 goto end;
2440 }
2441 appctx->ctx.ssl.old_cafile_entry = cafile_transaction.old_cafile_entry;
2442 }
2443 else {
2444 /* lookup for the certificate in the tree */
2445 appctx->ctx.ssl.old_cafile_entry = ssl_store_get_cafile_entry(buf->area, 0);
2446 }
2447
2448 if (!appctx->ctx.ssl.old_cafile_entry) {
2449 memprintf(&err, "%sCan't replace a CA file which is not referenced by the configuration!\n",
2450 err ? err : "");
2451 errcode |= ERR_ALERT | ERR_FATAL;
2452 goto end;
2453 }
2454
2455 if (!appctx->ctx.ssl.path) {
2456 /* this is a new transaction, set the path of the transaction */
2457 appctx->ctx.ssl.path = strdup(appctx->ctx.ssl.old_cafile_entry->path);
2458 if (!appctx->ctx.ssl.path) {
2459 memprintf(&err, "%sCan't allocate memory\n", err ? err : "");
2460 errcode |= ERR_ALERT | ERR_FATAL;
2461 goto end;
2462 }
2463 }
2464
2465 if (appctx->ctx.ssl.new_cafile_entry)
2466 ssl_store_delete_cafile_entry(appctx->ctx.ssl.new_cafile_entry);
2467
2468 /* Create a new cafile_entry without adding it to the cafile tree. */
Remi Tricot-Le Breton0bb48242021-04-16 17:59:23 +02002469 appctx->ctx.ssl.new_cafile_entry = ssl_store_create_cafile_entry(appctx->ctx.ssl.path, NULL, CAFILE_CERT);
Remi Tricot-Le Bretona32a68b2021-02-24 17:35:43 +01002470 if (!appctx->ctx.ssl.new_cafile_entry) {
2471 memprintf(&err, "%sCannot allocate memory!\n",
2472 err ? err : "");
2473 errcode |= ERR_ALERT | ERR_FATAL;
2474 goto end;
2475 }
2476
2477 /* Fill the new entry with the new CAs. */
2478 if (ssl_store_load_ca_from_buf(appctx->ctx.ssl.new_cafile_entry, payload)) {
2479 memprintf(&err, "%sInvalid payload\n", err ? err : "");
2480 errcode |= ERR_ALERT | ERR_FATAL;
2481 goto end;
2482 }
2483
2484 /* we succeed, we can save the ca in the transaction */
2485
2486 /* if there wasn't a transaction, update the old CA */
2487 if (!cafile_transaction.old_cafile_entry) {
2488 cafile_transaction.old_cafile_entry = appctx->ctx.ssl.old_cafile_entry;
2489 cafile_transaction.path = appctx->ctx.ssl.path;
2490 err = memprintf(&err, "transaction created for CA %s!\n", cafile_transaction.path);
2491 } else {
2492 err = memprintf(&err, "transaction updated for CA %s!\n", cafile_transaction.path);
2493 }
2494
2495 /* free the previous CA if there was a transaction */
2496 ssl_store_delete_cafile_entry(cafile_transaction.new_cafile_entry);
2497
2498 cafile_transaction.new_cafile_entry = appctx->ctx.ssl.new_cafile_entry;
2499
2500 /* creates the SNI ctxs later in the IO handler */
2501
2502end:
2503 free_trash_chunk(buf);
2504
2505 if (errcode & ERR_CODE) {
2506 ssl_store_delete_cafile_entry(appctx->ctx.ssl.new_cafile_entry);
2507 appctx->ctx.ssl.new_cafile_entry = NULL;
2508 appctx->ctx.ssl.old_cafile_entry = NULL;
2509
Tim Duesterhus025b93e2021-11-04 21:03:52 +01002510 ha_free(&appctx->ctx.ssl.path);
Remi Tricot-Le Bretona32a68b2021-02-24 17:35:43 +01002511
2512 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
2513 return cli_dynerr(appctx, memprintf(&err, "%sCan't update %s!\n", err ? err : "", args[3]));
2514 } else {
2515
2516 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
2517 return cli_dynmsg(appctx, LOG_NOTICE, err);
2518 }
2519}
2520
2521
2522/*
2523 * Parsing function of 'commit ssl ca-file'
2524 */
2525static int cli_parse_commit_cafile(char **args, char *payload, struct appctx *appctx, void *private)
2526{
2527 char *err = NULL;
2528
2529 if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
2530 return 1;
2531
2532 if (!*args[3])
2533 return cli_err(appctx, "'commit ssl ca-file expects a filename\n");
2534
2535 /* The operations on the CKCH architecture are locked so we can
2536 * manipulate ckch_store and ckch_inst */
2537 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
2538 return cli_err(appctx, "Can't commit the CA file!\nOperations on certificates are currently locked!\n");
2539
2540 if (!cafile_transaction.path) {
2541 memprintf(&err, "No ongoing transaction! !\n");
2542 goto error;
2543 }
2544
2545 if (strcmp(cafile_transaction.path, args[3]) != 0) {
2546 memprintf(&err, "The ongoing transaction is about '%s' but you are trying to set '%s'\n", cafile_transaction.path, args[3]);
2547 goto error;
2548 }
2549 /* init the appctx structure */
2550 appctx->st2 = SETCERT_ST_INIT;
2551 appctx->ctx.ssl.next_ckchi_link = NULL;
2552 appctx->ctx.ssl.old_cafile_entry = cafile_transaction.old_cafile_entry;
2553 appctx->ctx.ssl.new_cafile_entry = cafile_transaction.new_cafile_entry;
Remi Tricot-Le Bretona51b3392021-04-20 17:38:14 +02002554 appctx->ctx.ssl.cafile_type = CAFILE_CERT;
Remi Tricot-Le Bretona32a68b2021-02-24 17:35:43 +01002555
2556 return 0;
2557
2558error:
2559
2560 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
2561 err = memprintf(&err, "%sCan't commit %s!\n", err ? err : "", args[3]);
2562
2563 return cli_dynerr(appctx, err);
2564}
2565
2566enum {
2567 CREATE_NEW_INST_OK = 0,
2568 CREATE_NEW_INST_YIELD = -1,
2569 CREATE_NEW_INST_ERR = -2
2570};
2571
2572static inline int __create_new_instance(struct appctx *appctx, struct ckch_inst *ckchi, int *count,
Remi Tricot-Le Bretond75b99e2021-05-17 11:45:55 +02002573 struct buffer *trash, char **err)
Remi Tricot-Le Bretona32a68b2021-02-24 17:35:43 +01002574{
2575 struct ckch_inst *new_inst;
2576
2577 /* it takes a lot of CPU to creates SSL_CTXs, so we yield every 10 CKCH instances */
2578 if (*count >= 10) {
2579 /* save the next ckchi to compute */
2580 appctx->ctx.ssl.next_ckchi = ckchi;
2581 return CREATE_NEW_INST_YIELD;
2582 }
2583
2584 /* Rebuild a new ckch instance that uses the same ckch_store
2585 * than a reference ckchi instance but will use a new CA file. */
Remi Tricot-Le Bretond75b99e2021-05-17 11:45:55 +02002586 if (ckch_inst_rebuild(ckchi->ckch_store, ckchi, &new_inst, err))
Remi Tricot-Le Bretona32a68b2021-02-24 17:35:43 +01002587 return CREATE_NEW_INST_ERR;
2588
2589 /* display one dot per new instance */
2590 chunk_appendf(trash, ".");
2591 ++(*count);
2592
2593 return CREATE_NEW_INST_OK;
2594}
2595
2596/*
2597 * This function tries to create new ckch instances and their SNIs using a newly
Remi Tricot-Le Bretona51b3392021-04-20 17:38:14 +02002598 * set certificate authority (CA file) or a newly set Certificate Revocation
2599 * List (CRL), depending on the command being called.
Remi Tricot-Le Bretona32a68b2021-02-24 17:35:43 +01002600 */
Remi Tricot-Le Bretona51b3392021-04-20 17:38:14 +02002601static int cli_io_handler_commit_cafile_crlfile(struct appctx *appctx)
Remi Tricot-Le Bretona32a68b2021-02-24 17:35:43 +01002602{
2603 struct stream_interface *si = appctx->owner;
2604 int y = 0;
2605 char *err = NULL;
Remi Tricot-Le Bretona6b27842021-05-18 10:06:00 +02002606 struct cafile_entry *old_cafile_entry = NULL, *new_cafile_entry = NULL;
Remi Tricot-Le Bretona32a68b2021-02-24 17:35:43 +01002607 struct ckch_inst_link *ckchi_link;
2608 struct buffer *trash = alloc_trash_chunk();
2609
2610 if (trash == NULL)
2611 goto error;
2612
2613 if (unlikely(si_ic(si)->flags & (CF_WRITE_ERROR|CF_SHUTW)))
2614 goto error;
2615
2616 while (1) {
2617 switch (appctx->st2) {
2618 case SETCERT_ST_INIT:
2619 /* This state just print the update message */
Remi Tricot-Le Bretona51b3392021-04-20 17:38:14 +02002620 switch (appctx->ctx.ssl.cafile_type) {
2621 case CAFILE_CERT:
2622 chunk_printf(trash, "Committing %s", cafile_transaction.path);
2623 break;
2624 case CAFILE_CRL:
2625 chunk_printf(trash, "Committing %s", crlfile_transaction.path);
2626 break;
2627 default:
2628 goto error;
2629 }
Remi Tricot-Le Bretona32a68b2021-02-24 17:35:43 +01002630 if (ci_putchk(si_ic(si), trash) == -1) {
2631 si_rx_room_blk(si);
2632 goto yield;
2633 }
2634 appctx->st2 = SETCERT_ST_GEN;
2635 /* fallthrough */
2636 case SETCERT_ST_GEN:
2637 /*
2638 * This state generates the ckch instances with their
2639 * sni_ctxs and SSL_CTX.
2640 *
2641 * Since the SSL_CTX generation can be CPU consumer, we
2642 * yield every 10 instances.
2643 */
Remi Tricot-Le Bretona51b3392021-04-20 17:38:14 +02002644 switch (appctx->ctx.ssl.cafile_type) {
2645 case CAFILE_CERT:
2646 old_cafile_entry = appctx->ctx.ssl.old_cafile_entry;
2647 new_cafile_entry = appctx->ctx.ssl.new_cafile_entry;
2648 break;
2649 case CAFILE_CRL:
2650 old_cafile_entry = appctx->ctx.ssl.old_crlfile_entry;
2651 new_cafile_entry = appctx->ctx.ssl.new_crlfile_entry;
2652 break;
2653 }
Remi Tricot-Le Bretona32a68b2021-02-24 17:35:43 +01002654 if (!new_cafile_entry)
2655 continue;
2656
2657 /* get the next ckchi to regenerate */
2658 ckchi_link = appctx->ctx.ssl.next_ckchi_link;
2659 /* we didn't start yet, set it to the first elem */
2660 if (ckchi_link == NULL) {
2661 ckchi_link = LIST_ELEM(old_cafile_entry->ckch_inst_link.n, typeof(ckchi_link), list);
2662 /* Add the newly created cafile_entry to the tree so that
2663 * any new ckch instance created from now can use it. */
2664 if (ssl_store_add_uncommitted_cafile_entry(new_cafile_entry))
2665 goto error;
2666 }
2667
2668 list_for_each_entry_from(ckchi_link, &old_cafile_entry->ckch_inst_link, list) {
Remi Tricot-Le Bretond75b99e2021-05-17 11:45:55 +02002669 switch (__create_new_instance(appctx, ckchi_link->ckch_inst, &y, trash, &err)) {
Remi Tricot-Le Bretona32a68b2021-02-24 17:35:43 +01002670 case CREATE_NEW_INST_YIELD:
2671 appctx->ctx.ssl.next_ckchi_link = ckchi_link;
2672 goto yield;
2673 case CREATE_NEW_INST_ERR:
2674 goto error;
2675 default: break;
2676 }
2677 }
2678
2679 appctx->st2 = SETCERT_ST_INSERT;
2680 /* fallthrough */
2681 case SETCERT_ST_INSERT:
2682 /* The generation is finished, we can insert everything */
Remi Tricot-Le Bretona51b3392021-04-20 17:38:14 +02002683 switch (appctx->ctx.ssl.cafile_type) {
2684 case CAFILE_CERT:
2685 old_cafile_entry = appctx->ctx.ssl.old_cafile_entry;
2686 new_cafile_entry = appctx->ctx.ssl.new_cafile_entry;
2687 break;
2688 case CAFILE_CRL:
2689 old_cafile_entry = appctx->ctx.ssl.old_crlfile_entry;
2690 new_cafile_entry = appctx->ctx.ssl.new_crlfile_entry;
2691 break;
2692 }
Remi Tricot-Le Bretona32a68b2021-02-24 17:35:43 +01002693 if (!new_cafile_entry)
2694 continue;
2695
2696 /* insert the new ckch_insts in the crtlist_entry */
2697 list_for_each_entry(ckchi_link, &new_cafile_entry->ckch_inst_link, list) {
2698 if (ckchi_link->ckch_inst->crtlist_entry)
2699 LIST_INSERT(&ckchi_link->ckch_inst->crtlist_entry->ckch_inst,
2700 &ckchi_link->ckch_inst->by_crtlist_entry);
2701 }
2702
2703 /* First, we insert every new SNIs in the trees, also replace the default_ctx */
2704 list_for_each_entry(ckchi_link, &new_cafile_entry->ckch_inst_link, list) {
2705 __ssl_sock_load_new_ckch_instance(ckchi_link->ckch_inst);
2706 }
2707
2708 /* delete the old sni_ctx, the old ckch_insts and the ckch_store */
2709 list_for_each_entry(ckchi_link, &old_cafile_entry->ckch_inst_link, list) {
2710 __ckch_inst_free_locked(ckchi_link->ckch_inst);
2711 }
2712
2713
2714 /* Remove the old cafile entry from the tree */
2715 ebmb_delete(&old_cafile_entry->node);
2716 ssl_store_delete_cafile_entry(old_cafile_entry);
2717
2718 appctx->st2 = SETCERT_ST_FIN;
2719 /* fallthrough */
2720 case SETCERT_ST_FIN:
2721 /* we achieved the transaction, we can set everything to NULL */
Remi Tricot-Le Bretona51b3392021-04-20 17:38:14 +02002722 switch (appctx->ctx.ssl.cafile_type) {
2723 case CAFILE_CERT:
2724 ha_free(&cafile_transaction.path);
2725 cafile_transaction.old_cafile_entry = NULL;
2726 cafile_transaction.new_cafile_entry = NULL;
2727 break;
2728 case CAFILE_CRL:
2729 ha_free(&crlfile_transaction.path);
2730 crlfile_transaction.old_crlfile_entry = NULL;
2731 crlfile_transaction.new_crlfile_entry = NULL;
2732 break;
2733 }
Remi Tricot-Le Bretona32a68b2021-02-24 17:35:43 +01002734 goto end;
2735 }
2736 }
2737end:
2738
2739 chunk_appendf(trash, "\n");
Remi Tricot-Le Bretona32a68b2021-02-24 17:35:43 +01002740 chunk_appendf(trash, "Success!\n");
2741 if (ci_putchk(si_ic(si), trash) == -1)
2742 si_rx_room_blk(si);
2743 free_trash_chunk(trash);
2744 /* success: call the release function and don't come back */
2745 return 1;
2746yield:
2747 /* store the state */
2748 if (ci_putchk(si_ic(si), trash) == -1)
2749 si_rx_room_blk(si);
2750 free_trash_chunk(trash);
2751 si_rx_endp_more(si); /* let's come back later */
2752 return 0; /* should come back */
2753
2754error:
2755 /* spin unlock and free are done in the release function */
2756 if (trash) {
2757 chunk_appendf(trash, "\n%sFailed!\n", err);
2758 if (ci_putchk(si_ic(si), trash) == -1)
2759 si_rx_room_blk(si);
2760 free_trash_chunk(trash);
2761 }
2762 /* error: call the release function and don't come back */
2763 return 1;
2764}
2765
Remi Tricot-Le Bretond5fd09d2021-03-11 10:22:52 +01002766
2767/* parsing function of 'abort ssl ca-file' */
2768static int cli_parse_abort_cafile(char **args, char *payload, struct appctx *appctx, void *private)
2769{
2770 char *err = NULL;
2771
2772 if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
2773 return 1;
2774
2775 if (!*args[3])
2776 return cli_err(appctx, "'abort ssl ca-file' expects a filename\n");
2777
2778 /* The operations on the CKCH architecture are locked so we can
2779 * manipulate ckch_store and ckch_inst */
2780 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
2781 return cli_err(appctx, "Can't abort!\nOperations on certificates are currently locked!\n");
2782
2783 if (!cafile_transaction.path) {
2784 memprintf(&err, "No ongoing transaction!\n");
2785 goto error;
2786 }
2787
2788 if (strcmp(cafile_transaction.path, args[3]) != 0) {
2789 memprintf(&err, "The ongoing transaction is about '%s' but you are trying to abort a transaction for '%s'\n", cafile_transaction.path, args[3]);
2790 goto error;
2791 }
2792
2793 /* Only free the uncommitted cafile_entry here, because the SNI and instances were not generated yet */
2794 ssl_store_delete_cafile_entry(cafile_transaction.new_cafile_entry);
2795 cafile_transaction.new_cafile_entry = NULL;
2796 cafile_transaction.old_cafile_entry = NULL;
2797 ha_free(&cafile_transaction.path);
2798
2799 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
2800
2801 err = memprintf(&err, "Transaction aborted for certificate '%s'!\n", args[3]);
2802 return cli_dynmsg(appctx, LOG_NOTICE, err);
2803
2804error:
2805 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
2806
2807 return cli_dynerr(appctx, err);
2808}
2809
Remi Tricot-Le Bretona32a68b2021-02-24 17:35:43 +01002810/* release function of the `commit ssl ca-file' command, free things and unlock the spinlock */
2811static void cli_release_commit_cafile(struct appctx *appctx)
2812{
2813 if (appctx->st2 != SETCERT_ST_FIN) {
2814 struct cafile_entry *new_cafile_entry = appctx->ctx.ssl.new_cafile_entry;
2815
2816 /* Remove the uncommitted cafile_entry from the tree. */
2817 ebmb_delete(&new_cafile_entry->node);
2818 ssl_store_delete_cafile_entry(new_cafile_entry);
2819 }
2820 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
2821}
2822
2823
Remi Tricot-Le Breton2a22e162021-03-16 11:19:33 +01002824/* IO handler of details "show ssl ca-file <filename[:index]>" */
2825static int cli_io_handler_show_cafile_detail(struct appctx *appctx)
2826{
2827 struct stream_interface *si = appctx->owner;
2828 struct cafile_entry *cafile_entry = appctx->ctx.cli.p0;
2829 struct buffer *out = alloc_trash_chunk();
2830 int i;
2831 X509 *cert;
2832 STACK_OF(X509_OBJECT) *objs;
2833 int retval = 0;
2834 long ca_index = (long)appctx->ctx.cli.p1;
2835
2836 if (!out)
2837 goto end_no_putchk;
2838
2839 chunk_appendf(out, "Filename: ");
2840 if (cafile_entry == cafile_transaction.new_cafile_entry)
2841 chunk_appendf(out, "*");
2842 chunk_appendf(out, "%s\n", cafile_entry->path);
2843
2844 chunk_appendf(out, "Status: ");
2845 if (!cafile_entry->ca_store)
2846 chunk_appendf(out, "Empty\n");
2847 else if (LIST_ISEMPTY(&cafile_entry->ckch_inst_link))
2848 chunk_appendf(out, "Unused\n");
2849 else
2850 chunk_appendf(out, "Used\n");
2851
2852 if (!cafile_entry->ca_store)
2853 goto end;
2854
2855 objs = X509_STORE_get0_objects(cafile_entry->ca_store);
2856 for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
2857 cert = X509_OBJECT_get0_X509(sk_X509_OBJECT_value(objs, i));
2858 if (!cert)
2859 continue;
2860
2861 /* Certificate indexes start at 1 on the CLI output. */
2862 if (ca_index && ca_index-1 != i)
2863 continue;
2864
2865 chunk_appendf(out, "\nCertificate #%d:\n", i+1);
2866 retval = show_cert_detail(cert, NULL, out);
2867 if (retval < 0)
2868 goto end_no_putchk;
2869 else if (retval || ca_index)
2870 goto end;
2871 }
2872
2873end:
2874 if (ci_putchk(si_ic(si), out) == -1) {
2875 si_rx_room_blk(si);
2876 goto yield;
2877 }
2878
2879end_no_putchk:
2880 free_trash_chunk(out);
2881 return 1;
2882yield:
2883 free_trash_chunk(out);
2884 return 0; /* should come back */
2885}
2886
2887
2888/* parsing function for 'show ssl ca-file [cafile[:index]]' */
2889static int cli_parse_show_cafile(char **args, char *payload, struct appctx *appctx, void *private)
2890{
2891 struct cafile_entry *cafile_entry;
2892 long ca_index = 0;
2893 char *colons;
2894 char *err = NULL;
2895
2896 if (!cli_has_level(appctx, ACCESS_LVL_OPER))
2897 return cli_err(appctx, "Can't allocate memory!\n");
2898
2899 /* The operations on the CKCH architecture are locked so we can
2900 * manipulate ckch_store and ckch_inst */
2901 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
2902 return cli_err(appctx, "Can't show!\nOperations on certificates are currently locked!\n");
2903
2904 /* check if there is a certificate to lookup */
2905 if (*args[3]) {
2906
2907 /* Look for an optional CA index after the CA file name */
2908 colons = strchr(args[3], ':');
2909 if (colons) {
2910 char *endptr;
2911
2912 ca_index = strtol(colons + 1, &endptr, 10);
2913 /* Indexes start at 1 */
2914 if (colons + 1 == endptr || *endptr != '\0' || ca_index <= 0) {
2915 memprintf(&err, "wrong CA index after colons in '%s'!", args[3]);
2916 goto error;
2917 }
2918 *colons = '\0';
2919 }
2920
2921 if (*args[3] == '*') {
2922 if (!cafile_transaction.new_cafile_entry)
2923 goto error;
2924
2925 cafile_entry = cafile_transaction.new_cafile_entry;
2926
2927 if (strcmp(args[3] + 1, cafile_entry->path) != 0)
2928 goto error;
2929
2930 } else {
2931 /* Get the "original" cafile_entry and not the
2932 * uncommitted one if it exists. */
2933 if ((cafile_entry = ssl_store_get_cafile_entry(args[3], 1)) == NULL || cafile_entry->type != CAFILE_CERT)
2934 goto error;
2935 }
2936
2937 appctx->ctx.cli.p0 = cafile_entry;
2938 appctx->ctx.cli.p1 = (void*)ca_index;
2939 /* use the IO handler that shows details */
2940 appctx->io_handler = cli_io_handler_show_cafile_detail;
2941 }
2942
2943 return 0;
2944
2945error:
2946 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
2947 if (err)
2948 return cli_dynerr(appctx, err);
2949 return cli_err(appctx, "Can't display the CA file : Not found!\n");
2950}
2951
2952
2953/* release function of the 'show ssl ca-file' command */
2954static void cli_release_show_cafile(struct appctx *appctx)
2955{
2956 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
2957}
2958
2959
2960/* This function returns the number of certificates in a cafile_entry. */
2961static int get_certificate_count(struct cafile_entry *cafile_entry)
2962{
2963 int cert_count = 0;
2964 STACK_OF(X509_OBJECT) *objs;
2965
2966 if (cafile_entry && cafile_entry->ca_store) {
2967 objs = X509_STORE_get0_objects(cafile_entry->ca_store);
2968 if (objs)
2969 cert_count = sk_X509_OBJECT_num(objs);
2970 }
2971 return cert_count;
2972}
2973
2974/* IO handler of "show ssl ca-file". The command taking a specific CA file name
2975 * is managed in cli_io_handler_show_cafile_detail. */
2976static int cli_io_handler_show_cafile(struct appctx *appctx)
2977{
2978 struct buffer *trash = alloc_trash_chunk();
2979 struct ebmb_node *node;
2980 struct stream_interface *si = appctx->owner;
2981 struct cafile_entry *cafile_entry;
2982
2983 if (trash == NULL)
2984 return 1;
2985
2986 if (!appctx->ctx.ssl.old_cafile_entry) {
2987 if (cafile_transaction.old_cafile_entry) {
2988 chunk_appendf(trash, "# transaction\n");
2989 chunk_appendf(trash, "*%s", cafile_transaction.old_cafile_entry->path);
2990
2991 chunk_appendf(trash, " - %d certificate(s)\n", get_certificate_count(cafile_transaction.new_cafile_entry));
2992 }
2993 }
2994
2995 /* First time in this io_handler. */
2996 if (!appctx->ctx.cli.p0) {
2997 chunk_appendf(trash, "# filename\n");
2998 node = ebmb_first(&cafile_tree);
2999 } else {
3000 /* We yielded during a previous call. */
3001 node = &((struct cafile_entry*)appctx->ctx.cli.p0)->node;
3002 }
3003
3004 while (node) {
3005 cafile_entry = ebmb_entry(node, struct cafile_entry, node);
3006 if (cafile_entry->type == CAFILE_CERT) {
3007 chunk_appendf(trash, "%s", cafile_entry->path);
3008
3009 chunk_appendf(trash, " - %d certificate(s)\n", get_certificate_count(cafile_entry));
3010 }
3011
3012 node = ebmb_next(node);
3013 if (ci_putchk(si_ic(si), trash) == -1) {
3014 si_rx_room_blk(si);
3015 goto yield;
3016 }
3017 }
3018
3019 appctx->ctx.cli.p0 = NULL;
3020 free_trash_chunk(trash);
3021 return 1;
3022yield:
3023
3024 free_trash_chunk(trash);
3025 appctx->ctx.cli.p0 = cafile_entry;
3026 return 0; /* should come back */
3027}
3028
Remi Tricot-Le Bretonc3a84772021-03-25 18:13:57 +01003029/* parsing function of 'del ssl ca-file' */
3030static int cli_parse_del_cafile(char **args, char *payload, struct appctx *appctx, void *private)
3031{
3032 struct cafile_entry *cafile_entry;
3033 char *err = NULL;
3034 char *filename;
3035
3036 if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
3037 return 1;
3038
3039 if (!*args[3])
3040 return cli_err(appctx, "'del ssl ca-file' expects a CA file name\n");
3041
3042 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
3043 return cli_err(appctx, "Can't delete the CA file!\nOperations on certificates are currently locked!\n");
3044
3045 filename = args[3];
3046
3047 cafile_entry = ssl_store_get_cafile_entry(filename, 0);
3048 if (!cafile_entry) {
3049 memprintf(&err, "CA file '%s' doesn't exist!\n", filename);
3050 goto error;
3051 }
3052
3053 if (!LIST_ISEMPTY(&cafile_entry->ckch_inst_link)) {
3054 memprintf(&err, "CA file '%s' in use, can't be deleted!\n", filename);
3055 goto error;
3056 }
3057
3058 /* Remove the cafile_entry from the tree */
3059 ebmb_delete(&cafile_entry->node);
3060 ssl_store_delete_cafile_entry(cafile_entry);
3061
3062 memprintf(&err, "CA file '%s' deleted!\n", filename);
3063
3064 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
3065 return cli_dynmsg(appctx, LOG_NOTICE, err);
3066
3067error:
3068 memprintf(&err, "Can't remove the CA file: %s\n", err ? err : "");
3069 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
3070 return cli_dynerr(appctx, err);
3071}
3072
Remi Tricot-Le Breton720e3b92021-04-26 11:00:42 +02003073/* parsing function of 'new ssl crl-file' */
3074static int cli_parse_new_crlfile(char **args, char *payload, struct appctx *appctx, void *private)
3075{
3076 struct cafile_entry *cafile_entry;
3077 char *err = NULL;
3078 char *path;
3079
3080 if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
3081 return 1;
3082
3083 if (!*args[3])
3084 return cli_err(appctx, "'new ssl crl-file' expects a filename\n");
3085
3086 path = args[3];
3087
3088 /* The operations on the CKCH architecture are locked so we can
3089 * manipulate ckch_store and ckch_inst */
3090 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
3091 return cli_err(appctx, "Can't create a CA file!\nOperations on certificates are currently locked!\n");
3092
3093 cafile_entry = ssl_store_get_cafile_entry(path, 0);
3094 if (cafile_entry) {
3095 memprintf(&err, "CRL file '%s' already exists!\n", path);
3096 goto error;
3097 }
3098
3099 cafile_entry = ssl_store_create_cafile_entry(path, NULL, CAFILE_CRL);
3100 if (!cafile_entry) {
3101 memprintf(&err, "%sCannot allocate memory!\n", err ? err : "");
3102 goto error;
3103 }
3104
3105 /* Add the newly created cafile_entry to the tree so that
3106 * any new ckch instance created from now can use it. */
3107 if (ssl_store_add_uncommitted_cafile_entry(cafile_entry))
3108 goto error;
3109
3110 memprintf(&err, "New CRL file created '%s'!\n", path);
3111
3112 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
3113 return cli_dynmsg(appctx, LOG_NOTICE, err);
3114error:
3115 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
3116 return cli_dynerr(appctx, err);
3117}
3118
Remi Tricot-Le Bretona51b3392021-04-20 17:38:14 +02003119/* Parsing function of `set ssl crl-file` */
3120static int cli_parse_set_crlfile(char **args, char *payload, struct appctx *appctx, void *private)
3121{
3122 char *err = NULL;
3123 int errcode = 0;
3124 struct buffer *buf;
3125
3126 if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
3127 return 1;
3128
3129 if (!*args[3] || !payload)
3130 return cli_err(appctx, "'set ssl crl-file expects a filename and CAs as a payload\n");
3131
3132 /* The operations on the CKCH architecture are locked so we can
3133 * manipulate ckch_store and ckch_inst */
3134 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
3135 return cli_err(appctx, "Can't update the CRL file!\nOperations on certificates are currently locked!\n");
3136
3137 if ((buf = alloc_trash_chunk()) == NULL) {
3138 memprintf(&err, "%sCan't allocate memory\n", err ? err : "");
3139 errcode |= ERR_ALERT | ERR_FATAL;
3140 goto end;
3141 }
3142
3143 if (!chunk_strcpy(buf, args[3])) {
3144 memprintf(&err, "%sCan't allocate memory\n", err ? err : "");
3145 errcode |= ERR_ALERT | ERR_FATAL;
3146 goto end;
3147 }
3148
3149 appctx->ctx.ssl.old_crlfile_entry = NULL;
3150 appctx->ctx.ssl.new_crlfile_entry = NULL;
3151
3152 /* if there is an ongoing transaction */
3153 if (crlfile_transaction.path) {
3154 /* if there is an ongoing transaction, check if this is the same file */
3155 if (strcmp(crlfile_transaction.path, buf->area) != 0) {
3156 memprintf(&err, "The ongoing transaction is about '%s' but you are trying to set '%s'\n", crlfile_transaction.path, buf->area);
3157 errcode |= ERR_ALERT | ERR_FATAL;
3158 goto end;
3159 }
3160 appctx->ctx.ssl.old_crlfile_entry = crlfile_transaction.old_crlfile_entry;
3161 }
3162 else {
3163 /* lookup for the certificate in the tree */
3164 appctx->ctx.ssl.old_crlfile_entry = ssl_store_get_cafile_entry(buf->area, 0);
3165 }
3166
3167 if (!appctx->ctx.ssl.old_crlfile_entry) {
3168 memprintf(&err, "%sCan't replace a CRL file which is not referenced by the configuration!\n",
3169 err ? err : "");
3170 errcode |= ERR_ALERT | ERR_FATAL;
3171 goto end;
3172 }
3173
3174 if (!appctx->ctx.ssl.path) {
3175 /* this is a new transaction, set the path of the transaction */
3176 appctx->ctx.ssl.path = strdup(appctx->ctx.ssl.old_crlfile_entry->path);
3177 if (!appctx->ctx.ssl.path) {
3178 memprintf(&err, "%sCan't allocate memory\n", err ? err : "");
3179 errcode |= ERR_ALERT | ERR_FATAL;
3180 goto end;
3181 }
3182 }
3183
3184 if (appctx->ctx.ssl.new_crlfile_entry)
3185 ssl_store_delete_cafile_entry(appctx->ctx.ssl.new_crlfile_entry);
3186
3187 /* Create a new cafile_entry without adding it to the cafile tree. */
3188 appctx->ctx.ssl.new_crlfile_entry = ssl_store_create_cafile_entry(appctx->ctx.ssl.path, NULL, CAFILE_CRL);
3189 if (!appctx->ctx.ssl.new_crlfile_entry) {
3190 memprintf(&err, "%sCannot allocate memory!\n", err ? err : "");
3191 errcode |= ERR_ALERT | ERR_FATAL;
3192 goto end;
3193 }
3194
3195 /* Fill the new entry with the new CRL. */
3196 if (ssl_store_load_ca_from_buf(appctx->ctx.ssl.new_crlfile_entry, payload)) {
3197 memprintf(&err, "%sInvalid payload\n", err ? err : "");
3198 errcode |= ERR_ALERT | ERR_FATAL;
3199 goto end;
3200 }
3201
3202 /* we succeed, we can save the crl in the transaction */
3203
3204 /* if there wasn't a transaction, update the old CA */
3205 if (!crlfile_transaction.old_crlfile_entry) {
3206 crlfile_transaction.old_crlfile_entry = appctx->ctx.ssl.old_crlfile_entry;
3207 crlfile_transaction.path = appctx->ctx.ssl.path;
3208 err = memprintf(&err, "transaction created for CA %s!\n", crlfile_transaction.path);
3209 } else {
3210 err = memprintf(&err, "transaction updated for CA %s!\n", crlfile_transaction.path);
3211 }
3212
3213 /* free the previous CRL file if there was a transaction */
3214 ssl_store_delete_cafile_entry(crlfile_transaction.new_crlfile_entry);
3215
3216 crlfile_transaction.new_crlfile_entry = appctx->ctx.ssl.new_crlfile_entry;
3217
3218 /* creates the SNI ctxs later in the IO handler */
3219
3220end:
3221 free_trash_chunk(buf);
3222
3223 if (errcode & ERR_CODE) {
3224 ssl_store_delete_cafile_entry(appctx->ctx.ssl.new_crlfile_entry);
3225 appctx->ctx.ssl.new_crlfile_entry = NULL;
3226 appctx->ctx.ssl.old_crlfile_entry = NULL;
3227
Tim Duesterhus025b93e2021-11-04 21:03:52 +01003228 ha_free(&appctx->ctx.ssl.path);
Remi Tricot-Le Bretona51b3392021-04-20 17:38:14 +02003229
3230 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
3231 return cli_dynerr(appctx, memprintf(&err, "%sCan't update %s!\n", err ? err : "", args[3]));
3232 } else {
3233
3234 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
3235 return cli_dynmsg(appctx, LOG_NOTICE, err);
3236 }
3237}
3238
3239/* Parsing function of 'commit ssl crl-file' */
3240static int cli_parse_commit_crlfile(char **args, char *payload, struct appctx *appctx, void *private)
3241{
3242 char *err = NULL;
3243
3244 if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
3245 return 1;
3246
3247 if (!*args[3])
3248 return cli_err(appctx, "'commit ssl ca-file expects a filename\n");
3249
3250 /* The operations on the CKCH architecture are locked so we can
3251 * manipulate ckch_store and ckch_inst */
3252 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
3253 return cli_err(appctx, "Can't commit the CRL file!\nOperations on certificates are currently locked!\n");
3254
3255 if (!crlfile_transaction.path) {
3256 memprintf(&err, "No ongoing transaction! !\n");
3257 goto error;
3258 }
3259
3260 if (strcmp(crlfile_transaction.path, args[3]) != 0) {
3261 memprintf(&err, "The ongoing transaction is about '%s' but you are trying to set '%s'\n", crlfile_transaction.path, args[3]);
3262 goto error;
3263 }
3264 /* init the appctx structure */
3265 appctx->st2 = SETCERT_ST_INIT;
3266 appctx->ctx.ssl.next_ckchi = NULL;
3267 appctx->ctx.ssl.old_crlfile_entry = crlfile_transaction.old_crlfile_entry;
3268 appctx->ctx.ssl.new_crlfile_entry = crlfile_transaction.new_crlfile_entry;
3269 appctx->ctx.ssl.cafile_type = CAFILE_CRL;
3270
3271 return 0;
3272
3273error:
3274
3275 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
3276 err = memprintf(&err, "%sCan't commit %s!\n", err ? err : "", args[3]);
3277
3278 return cli_dynerr(appctx, err);
3279}
3280
3281
3282/* release function of the `commit ssl crl-file' command, free things and unlock the spinlock */
3283static void cli_release_commit_crlfile(struct appctx *appctx)
3284{
3285 if (appctx->st2 != SETCERT_ST_FIN) {
3286 struct cafile_entry *new_crlfile_entry = appctx->ctx.ssl.new_crlfile_entry;
3287
3288 /* Remove the uncommitted cafile_entry from the tree. */
3289 ebmb_delete(&new_crlfile_entry->node);
3290 ssl_store_delete_cafile_entry(new_crlfile_entry);
3291 }
3292 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
3293}
3294
Remi Tricot-Le Breton720e3b92021-04-26 11:00:42 +02003295/* parsing function of 'del ssl crl-file' */
3296static int cli_parse_del_crlfile(char **args, char *payload, struct appctx *appctx, void *private)
3297{
3298 struct cafile_entry *cafile_entry;
3299 char *err = NULL;
3300 char *filename;
3301
3302 if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
3303 return 1;
3304
3305 if (!*args[3])
3306 return cli_err(appctx, "'del ssl crl-file' expects a CRL file name\n");
3307
3308 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
3309 return cli_err(appctx, "Can't delete the CRL file!\nOperations on certificates are currently locked!\n");
3310
3311 filename = args[3];
3312
3313 cafile_entry = ssl_store_get_cafile_entry(filename, 0);
3314 if (!cafile_entry) {
3315 memprintf(&err, "CRL file '%s' doesn't exist!\n", filename);
3316 goto error;
3317 }
3318 if (cafile_entry->type != CAFILE_CRL) {
3319 memprintf(&err, "'del ssl crl-file' does not work on CA files!\n");
3320 goto error;
3321 }
3322
3323 if (!LIST_ISEMPTY(&cafile_entry->ckch_inst_link)) {
3324 memprintf(&err, "CRL file '%s' in use, can't be deleted!\n", filename);
3325 goto error;
3326 }
3327
3328 /* Remove the cafile_entry from the tree */
3329 ebmb_delete(&cafile_entry->node);
3330 ssl_store_delete_cafile_entry(cafile_entry);
3331
3332 memprintf(&err, "CRL file '%s' deleted!\n", filename);
3333
3334 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
3335 return cli_dynmsg(appctx, LOG_NOTICE, err);
3336
3337error:
3338 memprintf(&err, "Can't remove the CRL file: %s\n", err ? err : "");
3339 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
3340 return cli_dynerr(appctx, err);
3341}
3342
Remi Tricot-Le Bretoneef8e7b2021-04-20 17:42:02 +02003343/* parsing function of 'abort ssl crl-file' */
3344static int cli_parse_abort_crlfile(char **args, char *payload, struct appctx *appctx, void *private)
3345{
3346 char *err = NULL;
3347
3348 if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
3349 return 1;
3350
3351 if (!*args[3])
3352 return cli_err(appctx, "'abort ssl crl-file' expects a filename\n");
3353
3354 /* The operations on the CKCH architecture are locked so we can
3355 * manipulate ckch_store and ckch_inst */
3356 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
3357 return cli_err(appctx, "Can't abort!\nOperations on certificates are currently locked!\n");
3358
3359 if (!crlfile_transaction.path) {
3360 memprintf(&err, "No ongoing transaction!\n");
3361 goto error;
3362 }
3363
3364 if (strcmp(crlfile_transaction.path, args[3]) != 0) {
3365 memprintf(&err, "The ongoing transaction is about '%s' but you are trying to abort a transaction for '%s'\n", crlfile_transaction.path, args[3]);
3366 goto error;
3367 }
3368
3369 /* Only free the uncommitted cafile_entry here, because the SNI and instances were not generated yet */
3370 ssl_store_delete_cafile_entry(crlfile_transaction.new_crlfile_entry);
3371 crlfile_transaction.new_crlfile_entry = NULL;
3372 crlfile_transaction.old_crlfile_entry = NULL;
3373 ha_free(&crlfile_transaction.path);
3374
3375 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
3376
3377 err = memprintf(&err, "Transaction aborted for certificate '%s'!\n", args[3]);
3378 return cli_dynmsg(appctx, LOG_NOTICE, err);
3379
3380error:
3381 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
3382
3383 return cli_dynerr(appctx, err);
3384}
3385
Remi Tricot-Le Breton2a22e162021-03-16 11:19:33 +01003386
Remi Tricot-Le Breton51e28b62021-04-20 17:58:01 +02003387/*
3388 * Display a Certificate Resignation List's information.
3389 * The information displayed is inspired by the output of 'openssl crl -in
3390 * crl.pem -text'.
3391 * Returns 0 in case of success.
3392 */
3393static int show_crl_detail(X509_CRL *crl, struct buffer *out)
3394{
3395 BIO *bio = NULL;
3396 struct buffer *tmp = alloc_trash_chunk();
3397 long version;
3398 X509_NAME *issuer;
3399 int write = -1;
3400 STACK_OF(X509_REVOKED) *rev = NULL;
3401 X509_REVOKED *rev_entry = NULL;
3402 int i;
3403
3404 if (!tmp)
3405 return -1;
3406
3407 if ((bio = BIO_new(BIO_s_mem())) == NULL)
3408 goto end;
3409
3410 /* Version (as displayed by 'openssl crl') */
3411 version = X509_CRL_get_version(crl);
3412 chunk_appendf(out, "Version %ld\n", version + 1);
3413
3414 /* Signature Algorithm */
3415 chunk_appendf(out, "Signature Algorithm: %s\n", OBJ_nid2ln(X509_CRL_get_signature_nid(crl)));
3416
3417 /* Issuer */
3418 chunk_appendf(out, "Issuer: ");
3419 if ((issuer = X509_CRL_get_issuer(crl)) == NULL)
3420 goto end;
3421 if ((ssl_sock_get_dn_oneline(issuer, tmp)) == -1)
3422 goto end;
3423 *(tmp->area + tmp->data) = '\0';
3424 chunk_appendf(out, "%s\n", tmp->area);
3425
3426 /* Last Update */
3427 chunk_appendf(out, "Last Update: ");
3428 chunk_reset(tmp);
Remi Tricot-Le Bretond75b99e2021-05-17 11:45:55 +02003429 if (BIO_reset(bio) == -1)
3430 goto end;
Remi Tricot-Le Breton51e28b62021-04-20 17:58:01 +02003431 if (ASN1_TIME_print(bio, X509_CRL_get0_lastUpdate(crl)) == 0)
3432 goto end;
3433 write = BIO_read(bio, tmp->area, tmp->size-1);
3434 tmp->area[write] = '\0';
3435 chunk_appendf(out, "%s\n", tmp->area);
3436
3437
3438 /* Next Update */
3439 chunk_appendf(out, "Next Update: ");
3440 chunk_reset(tmp);
Remi Tricot-Le Bretond75b99e2021-05-17 11:45:55 +02003441 if (BIO_reset(bio) == -1)
3442 goto end;
Remi Tricot-Le Breton51e28b62021-04-20 17:58:01 +02003443 if (ASN1_TIME_print(bio, X509_CRL_get0_nextUpdate(crl)) == 0)
3444 goto end;
3445 write = BIO_read(bio, tmp->area, tmp->size-1);
3446 tmp->area[write] = '\0';
3447 chunk_appendf(out, "%s\n", tmp->area);
3448
3449
3450 /* Revoked Certificates */
3451 rev = X509_CRL_get_REVOKED(crl);
3452 if (sk_X509_REVOKED_num(rev) > 0)
3453 chunk_appendf(out, "Revoked Certificates:\n");
3454 else
3455 chunk_appendf(out, "No Revoked Certificates.\n");
3456
3457 for (i = 0; i < sk_X509_REVOKED_num(rev); i++) {
3458 rev_entry = sk_X509_REVOKED_value(rev, i);
3459
3460 /* Serial Number and Revocation Date */
Remi Tricot-Le Bretond75b99e2021-05-17 11:45:55 +02003461 if (BIO_reset(bio) == -1)
3462 goto end;
Remi Tricot-Le Breton51e28b62021-04-20 17:58:01 +02003463 BIO_printf(bio , " Serial Number: ");
Remi Tricot-Le Breton18c7d832021-05-17 18:38:34 +02003464 i2a_ASN1_INTEGER(bio, (ASN1_INTEGER*)X509_REVOKED_get0_serialNumber(rev_entry));
Remi Tricot-Le Breton51e28b62021-04-20 17:58:01 +02003465 BIO_printf(bio, "\n Revocation Date: ");
Remi Tricot-Le Bretona6b27842021-05-18 10:06:00 +02003466 if (ASN1_TIME_print(bio, X509_REVOKED_get0_revocationDate(rev_entry)) == 0)
3467 goto end;
Remi Tricot-Le Breton51e28b62021-04-20 17:58:01 +02003468 BIO_printf(bio, "\n");
3469
3470 write = BIO_read(bio, tmp->area, tmp->size-1);
3471 tmp->area[write] = '\0';
3472 chunk_appendf(out, "%s", tmp->area);
3473 }
3474
3475end:
3476 free_trash_chunk(tmp);
3477 if (bio)
3478 BIO_free(bio);
3479
3480 return 0;
3481}
3482
3483/* IO handler of details "show ssl crl-file <filename[:index]>" */
3484static int cli_io_handler_show_crlfile_detail(struct appctx *appctx)
3485{
3486 struct stream_interface *si = appctx->owner;
3487 struct cafile_entry *cafile_entry = appctx->ctx.cli.p0;
3488 struct buffer *out = alloc_trash_chunk();
3489 int i;
3490 X509_CRL *crl;
3491 STACK_OF(X509_OBJECT) *objs;
3492 int retval = 0;
3493 long index = (long)appctx->ctx.cli.p1;
3494
3495 if (!out)
3496 goto end_no_putchk;
3497
3498 chunk_appendf(out, "Filename: ");
3499 if (cafile_entry == crlfile_transaction.new_crlfile_entry)
3500 chunk_appendf(out, "*");
3501 chunk_appendf(out, "%s\n", cafile_entry->path);
3502
3503 chunk_appendf(out, "Status: ");
3504 if (!cafile_entry->ca_store)
3505 chunk_appendf(out, "Empty\n");
3506 else if (LIST_ISEMPTY(&cafile_entry->ckch_inst_link))
3507 chunk_appendf(out, "Unused\n");
3508 else
3509 chunk_appendf(out, "Used\n");
3510
3511 if (!cafile_entry->ca_store)
3512 goto end;
3513
3514 objs = X509_STORE_get0_objects(cafile_entry->ca_store);
3515 for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
3516 crl = X509_OBJECT_get0_X509_CRL(sk_X509_OBJECT_value(objs, i));
3517 if (!crl)
3518 continue;
3519
3520 /* CRL indexes start at 1 on the CLI output. */
3521 if (index && index-1 != i)
3522 continue;
3523
3524 chunk_appendf(out, "\nCertificate Revocation List #%d:\n", i+1);
3525 retval = show_crl_detail(crl, out);
3526 if (retval < 0)
3527 goto end_no_putchk;
3528 else if (retval || index)
3529 goto end;
3530 }
3531
3532end:
3533 if (ci_putchk(si_ic(si), out) == -1) {
3534 si_rx_room_blk(si);
3535 goto yield;
3536 }
3537
3538end_no_putchk:
3539 free_trash_chunk(out);
3540 return 1;
3541yield:
3542 free_trash_chunk(out);
3543 return 0; /* should come back */
3544}
3545
3546/* parsing function for 'show ssl crl-file [crlfile[:index]]' */
3547static int cli_parse_show_crlfile(char **args, char *payload, struct appctx *appctx, void *private)
3548{
3549 struct cafile_entry *cafile_entry;
3550 long index = 0;
3551 char *colons;
3552 char *err = NULL;
3553
3554 if (!cli_has_level(appctx, ACCESS_LVL_OPER))
3555 return cli_err(appctx, "Can't allocate memory!\n");
3556
3557 /* The operations on the CKCH architecture are locked so we can
3558 * manipulate ckch_store and ckch_inst */
3559 if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
3560 return cli_err(appctx, "Can't show!\nOperations on certificates are currently locked!\n");
3561
3562 /* check if there is a certificate to lookup */
3563 if (*args[3]) {
3564
3565 /* Look for an optional index after the CRL file name */
3566 colons = strchr(args[3], ':');
3567 if (colons) {
3568 char *endptr;
3569
3570 index = strtol(colons + 1, &endptr, 10);
3571 /* Indexes start at 1 */
3572 if (colons + 1 == endptr || *endptr != '\0' || index <= 0) {
3573 memprintf(&err, "wrong CRL index after colons in '%s'!", args[3]);
3574 goto error;
3575 }
3576 *colons = '\0';
3577 }
3578
3579 if (*args[3] == '*') {
3580 if (!crlfile_transaction.new_crlfile_entry)
3581 goto error;
3582
3583 cafile_entry = crlfile_transaction.new_crlfile_entry;
3584
3585 if (strcmp(args[3] + 1, cafile_entry->path) != 0)
3586 goto error;
3587
3588 } else {
3589 /* Get the "original" cafile_entry and not the
3590 * uncommitted one if it exists. */
3591 if ((cafile_entry = ssl_store_get_cafile_entry(args[3], 1)) == NULL || cafile_entry->type != CAFILE_CRL)
3592 goto error;
3593 }
3594
3595 appctx->ctx.cli.p0 = cafile_entry;
3596 appctx->ctx.cli.p1 = (void*)index;
3597 /* use the IO handler that shows details */
3598 appctx->io_handler = cli_io_handler_show_crlfile_detail;
3599 }
3600
3601 return 0;
3602
3603error:
3604 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
3605 if (err)
3606 return cli_dynerr(appctx, err);
3607 return cli_err(appctx, "Can't display the CA file : Not found!\n");
3608}
3609
3610/* IO handler of "show ssl crl-file". The command taking a specific CRL file name
3611 * is managed in cli_io_handler_show_crlfile_detail. */
3612static int cli_io_handler_show_crlfile(struct appctx *appctx)
3613{
3614 struct buffer *trash = alloc_trash_chunk();
3615 struct ebmb_node *node;
3616 struct stream_interface *si = appctx->owner;
3617 struct cafile_entry *cafile_entry;
3618
3619 if (trash == NULL)
3620 return 1;
3621
3622 if (!appctx->ctx.ssl.old_crlfile_entry) {
3623 if (crlfile_transaction.old_crlfile_entry) {
3624 chunk_appendf(trash, "# transaction\n");
3625 chunk_appendf(trash, "*%s\n", crlfile_transaction.old_crlfile_entry->path);
3626 }
3627 }
3628
3629 /* First time in this io_handler. */
3630 if (!appctx->ctx.cli.p0) {
3631 chunk_appendf(trash, "# filename\n");
3632 node = ebmb_first(&cafile_tree);
3633 } else {
3634 /* We yielded during a previous call. */
3635 node = &((struct cafile_entry*)appctx->ctx.cli.p0)->node;
3636 }
3637
3638 while (node) {
3639 cafile_entry = ebmb_entry(node, struct cafile_entry, node);
3640 if (cafile_entry->type == CAFILE_CRL) {
3641 chunk_appendf(trash, "%s\n", cafile_entry->path);
3642 }
3643
3644 node = ebmb_next(node);
3645 if (ci_putchk(si_ic(si), trash) == -1) {
3646 si_rx_room_blk(si);
3647 goto yield;
3648 }
3649 }
3650
3651 appctx->ctx.cli.p0 = NULL;
3652 free_trash_chunk(trash);
3653 return 1;
3654yield:
3655
3656 free_trash_chunk(trash);
3657 appctx->ctx.cli.p0 = cafile_entry;
3658 return 0; /* should come back */
3659}
3660
3661
3662/* release function of the 'show ssl crl-file' command */
3663static void cli_release_show_crlfile(struct appctx *appctx)
3664{
3665 HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
3666}
3667
3668
William Lallemandee8530c2020-06-23 18:19:42 +02003669void ckch_deinit()
3670{
3671 struct eb_node *node, *next;
3672 struct ckch_store *store;
3673
3674 node = eb_first(&ckchs_tree);
3675 while (node) {
3676 next = eb_next(node);
3677 store = ebmb_entry(node, struct ckch_store, node);
3678 ckch_store_free(store);
3679 node = next;
3680 }
3681}
William Lallemandda8584c2020-05-14 10:14:37 +02003682
3683/* register cli keywords */
3684static struct cli_kw_list cli_kws = {{ },{
Remi Tricot-Le Bretona32a68b2021-02-24 17:35:43 +01003685 { { "new", "ssl", "cert", NULL }, "new ssl cert <certfile> : create a new certificate file to be used in a crt-list or a directory", cli_parse_new_cert, NULL, NULL },
3686 { { "set", "ssl", "cert", NULL }, "set ssl cert <certfile> <payload> : replace a certificate file", cli_parse_set_cert, NULL, NULL },
3687 { { "commit", "ssl", "cert", NULL }, "commit ssl cert <certfile> : commit a certificate file", cli_parse_commit_cert, cli_io_handler_commit_cert, cli_release_commit_cert },
3688 { { "abort", "ssl", "cert", NULL }, "abort ssl cert <certfile> : abort a transaction for a certificate file", cli_parse_abort_cert, NULL, NULL },
3689 { { "del", "ssl", "cert", NULL }, "del ssl cert <certfile> : delete an unused certificate file", cli_parse_del_cert, NULL, NULL },
3690 { { "show", "ssl", "cert", NULL }, "show ssl cert [<certfile>] : display the SSL certificates used in memory, or the details of a file", cli_parse_show_cert, cli_io_handler_show_cert, cli_release_show_cert },
3691
Amaury Denoyelleb11ad9e2021-05-21 11:01:10 +02003692 { { "new", "ssl", "ca-file", NULL }, "new ssl ca-file <cafile> : create a new CA file to be used in a crt-list", cli_parse_new_cafile, NULL, NULL },
Remi Tricot-Le Bretona32a68b2021-02-24 17:35:43 +01003693 { { "set", "ssl", "ca-file", NULL }, "set ssl ca-file <cafile> <payload> : replace a CA file", cli_parse_set_cafile, NULL, NULL },
Remi Tricot-Le Bretona51b3392021-04-20 17:38:14 +02003694 { { "commit", "ssl", "ca-file", NULL }, "commit ssl ca-file <cafile> : commit a CA file", cli_parse_commit_cafile, cli_io_handler_commit_cafile_crlfile, cli_release_commit_cafile },
Remi Tricot-Le Bretond5fd09d2021-03-11 10:22:52 +01003695 { { "abort", "ssl", "ca-file", NULL }, "abort ssl ca-file <cafile> : abort a transaction for a CA file", cli_parse_abort_cafile, NULL, NULL },
Remi Tricot-Le Bretonc3a84772021-03-25 18:13:57 +01003696 { { "del", "ssl", "ca-file", NULL }, "del ssl ca-file <cafile> : delete an unused CA file", cli_parse_del_cafile, NULL, NULL },
Remi Tricot-Le Breton2a22e162021-03-16 11:19:33 +01003697 { { "show", "ssl", "ca-file", NULL }, "show ssl ca-file [<cafile>[:<index>]] : display the SSL CA files used in memory, or the details of a <cafile>, or a single certificate of index <index> of a CA file <cafile>", cli_parse_show_cafile, cli_io_handler_show_cafile, cli_release_show_cafile },
Remi Tricot-Le Bretona51b3392021-04-20 17:38:14 +02003698
Remi Tricot-Le Breton720e3b92021-04-26 11:00:42 +02003699 { { "new", "ssl", "crl-file", NULL }, "new ssl crlfile <crlfile> : create a new CRL file to be used in a crt-list", cli_parse_new_crlfile, NULL, NULL },
Remi Tricot-Le Bretona51b3392021-04-20 17:38:14 +02003700 { { "set", "ssl", "crl-file", NULL }, "set ssl crl-file <crlfile> <payload> : replace a CRL file", cli_parse_set_crlfile, NULL, NULL },
3701 { { "commit", "ssl", "crl-file", NULL },"commit ssl crl-file <crlfile> : commit a CRL file", cli_parse_commit_crlfile, cli_io_handler_commit_cafile_crlfile, cli_release_commit_crlfile },
Remi Tricot-Le Bretoneef8e7b2021-04-20 17:42:02 +02003702 { { "abort", "ssl", "crl-file", NULL }, "abort ssl crl-file <crlfile> : abort a transaction for a CRL file", cli_parse_abort_crlfile, NULL, NULL },
Remi Tricot-Le Breton720e3b92021-04-26 11:00:42 +02003703 { { "del", "ssl", "crl-file", NULL }, "del ssl crl-file <crlfile> : delete an unused CRL file", cli_parse_del_crlfile, NULL, NULL },
Remi Tricot-Le Breton51e28b62021-04-20 17:58:01 +02003704 { { "show", "ssl", "crl-file", NULL }, "show ssl crl-file [<crlfile[:<index>>]] : display the SSL CRL files used in memory, or the details of a <crlfile>, or a single CRL of index <index> of CRL file <crlfile>", cli_parse_show_crlfile, cli_io_handler_show_crlfile, cli_release_show_crlfile },
William Lallemandda8584c2020-05-14 10:14:37 +02003705 { { NULL }, NULL, NULL, NULL }
3706}};
3707
3708INITCALL1(STG_REGISTER, cli_register_kw, &cli_kws);
3709