This patch adds crt-store keywords from the crt-list on the CLI.
- keywords from crt-store can be used over the CLI when inserting
certificate in a crt-list
- keywords from crt-store are dumped when showing a crt-list content
over the CLI
The ckch_conf_kws.func function pointer needed a new "cli" parameter, in
order to differenciate loading that come from the CLI or from the
startup, as they don't behave the same. For example it must not try to
load a file on the filesystem when loading a crt-list line from the CLI.
dump_crtlist_sslconf() was renamed in dump_crtlist_conf() and takes a
new ckch_conf parameter in order to dump relevant crt-store keywords.
const char *name;
ssize_t offset;
enum parse_type_t type;
- int (*func)(void *value, char *buf, struct ckch_data *d, char **err);
+ int (*func)(void *value, char *buf, struct ckch_data *d, int cli, char **err);
char **base; /* ptr to the base path */
};
struct ckch_store *ckch_store_new(const char *filename);
void ckch_store_free(struct ckch_store *store);
void ckch_store_replace(struct ckch_store *old_ckchs, struct ckch_store *new_ckchs);
-int ckch_store_load_files(struct ckch_conf *f, struct ckch_store *c, char **err);
+int ckch_store_load_files(struct ckch_conf *f, struct ckch_store *c, int cli, char **err);
/* ckch_conf functions */
extern int (*ssl_commit_crlfile_cb)(const char *path, X509_STORE *ctx, char **err);
/* ckch_conf keyword loading */
-static inline int ckch_conf_load_pem(void *value, char *buf, struct ckch_data *d, char **err) { return ssl_sock_load_pem_into_ckch(value, buf, d, err); }
-static inline int ckch_conf_load_key(void *value, char *buf, struct ckch_data *d, char **err) { return ssl_sock_load_key_into_ckch(value, buf, d, err); }
-static inline int ckch_conf_load_ocsp_response(void *value, char *buf, struct ckch_data *d, char **err) { return ssl_sock_load_ocsp_response_from_file(value, buf, d, err); }
-static inline int ckch_conf_load_ocsp_issuer(void *value, char *buf, struct ckch_data *d, char **err) { return ssl_sock_load_issuer_file_into_ckch(value, buf, d, err); }
-static inline int ckch_conf_load_sctl(void *value, char *buf, struct ckch_data *d, char **err) { return ssl_sock_load_sctl_from_file(value, buf, d, err); }
+static inline int ckch_conf_load_pem(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_pem_into_ckch(value, buf, d, err); }
+static inline int ckch_conf_load_key(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_key_into_ckch(value, buf, d, err); }
+static inline int ckch_conf_load_ocsp_response(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_ocsp_response_from_file(value, buf, d, err); }
+static inline int ckch_conf_load_ocsp_issuer(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_issuer_file_into_ckch(value, buf, d, err); }
+static inline int ckch_conf_load_sctl(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_sctl_from_file(value, buf, d, err); }
#endif /* USE_OPENSSL */
#endif /* _HAPROXY_SSL_CRTLIST_H */
int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp);
-int ocsp_update_init(void *value, char *buf, struct ckch_data *d, char **err);
+int ocsp_update_init(void *value, char *buf, struct ckch_data *d, int cli, char **err);
#endif /* (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) */
if (!ssl_sock_copy_cert_key_and_chain(src->data, dst->data))
goto error;
+
+ dst->conf.ocsp_update_mode = src->conf.ocsp_update_mode;
+
return dst;
error:
goto end;
}
- cfgerr = ckch_store_load_files(conf, ckchs, err);
+ cfgerr = ckch_store_load_files(conf, ckchs, 0, err);
if (cfgerr & ERR_FATAL)
goto end;
};
/* crt-store does not try to find files, but use the stored filename */
-int ckch_store_load_files(struct ckch_conf *f, struct ckch_store *c, char **err)
+int ckch_store_load_files(struct ckch_conf *f, struct ckch_store *c, int cli, char **err)
{
int i;
int err_code = 0;
int rc = 1;
struct ckch_data *d = c->data;
- /* crt */
- if (!f->crt) {
- err_code |= ERR_ALERT | ERR_FATAL;
- goto out;
- }
-
for (i = 0; ckch_conf_kws[i].name; i++) {
void *src = NULL;
}
path = path_base;
}
- rc = ckch_conf_kws[i].func(path, NULL, d, err);
+ rc = ckch_conf_kws[i].func(path, NULL, d, cli, err);
if (rc) {
err_code |= ERR_ALERT | ERR_FATAL;
memprintf(err, "%s '%s' cannot be read or parsed.", err && *err ? *err : "", path);
case PARSE_TYPE_ONOFF:
{
int v = *(int *)src;
- rc = ckch_conf_kws[i].func(&v, NULL, d, err);
+ rc = ckch_conf_kws[i].func(&v, NULL, d, cli, err);
if (rc) {
err_code |= ERR_ALERT | ERR_FATAL;
memprintf(err, "%s '%d' cannot be read or parsed.", err && *err ? *err : "", v);
if (!c)
goto alloc_error;
- err_code |= ckch_store_load_files(&f, c, err);
+ err_code |= ckch_store_load_files(&f, c, 0, err);
if (err_code & ERR_FATAL)
goto out;
* Take an ssl_bind_conf structure and append the configuration line used to
* create it in the buffer
*/
-static void dump_crtlist_sslconf(struct buffer *buf, const struct ssl_bind_conf *conf)
+static void dump_crtlist_conf(struct buffer *buf, const struct ssl_bind_conf *conf, const struct ckch_conf *cc)
{
int space = 0;
- if (conf == NULL)
+ if (conf == NULL && cc->used == 0)
return;
chunk_appendf(buf, " [");
+
+
+ if (conf == NULL)
+ goto dump_ckch;
+
+ /* first dump all ssl_conf keywords */
+
#ifdef OPENSSL_NPN_NEGOTIATED
if (conf->npn_str) {
int len = conf->npn_len;
space++;
}
- /* FIXME: dump crt-store keywords */
+ /* then dump the ckch_conf */
+dump_ckch:
+ if (!cc->used)
+ goto end;
+
+ if (cc->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_OFF) {
+ if (space) chunk_appendf(buf, " ");
+ chunk_appendf(buf, "ocsp-update off");
+ space++;
+ } else if (cc->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON) {
+ if (space) chunk_appendf(buf, " ");
+ chunk_appendf(buf, "ocsp-update on");
+ space++;
+ }
+
+end:
chunk_appendf(buf, "]");
chunk_appendf(trash, "%s", filename);
if (ctx->mode == 's') /* show */
chunk_appendf(trash, ":%d", entry->linenum);
- dump_crtlist_sslconf(trash, entry->ssl_conf);
+ dump_crtlist_conf(trash, entry->ssl_conf, &store->conf);
dump_crtlist_filters(trash, entry);
chunk_appendf(trash, "\n");
struct ebpt_node *inserted;
struct crtlist *crtlist;
struct crtlist_entry *entry = NULL;
+ struct ckch_conf cc = {};
char *end;
if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
goto error;
}
+
if (payload) {
char *lf;
goto error;
}
/* cert_path is filled here */
- cfgerr |= crtlist_parse_line(payload, &cert_path, entry, NULL, "CLI", 1, 1, &err);
- /* FIXME: handle the ckch_conf */
+ cfgerr |= crtlist_parse_line(payload, &cert_path, entry, &cc, "CLI", 1, 1, &err);
if (cfgerr & ERR_CODE)
goto error;
} else {
goto error;
}
+ /* We can use a crt-store keyword when:
+ * - no ckch_inst are linked OR
+ * - ckch_inst are linked but exact same ckch_conf is used.
+ */
+ if (LIST_ISEMPTY(&store->ckch_inst)) {
+
+ store->conf = cc;
+ /* fresh new, run more init (for example init ocsp-update tasks) */
+ cfgerr |= ckch_store_load_files(&cc, store, 1, &err);
+ if (cfgerr & ERR_FATAL)
+ goto error;
+
+ } else if (ckch_conf_cmp(&store->conf, &cc, &err) != 0) {
+ memprintf(&err, "'%s' is already instantiated with incompatible parameters:\n %s", cert_path, err ? err : "");
+ cfgerr |= ERR_ALERT | ERR_FATAL;
+ goto error;
+ }
+
/* check if it's possible to insert this new crtlist_entry */
entry->node.key = store;
inserted = ebpt_insert(&crtlist->entries, &entry->node);
}
/* this is supposed to be a directory (EB_ROOT_UNIQUE), so no ssl_conf are allowed */
- if ((entry->ssl_conf || entry->filters) && eb_gettag(crtlist->entries.b[EB_RGHT])) {
- memprintf(&err, "this is a directory, SSL configuration and filters are not allowed");
+ if ((entry->ssl_conf || entry->filters || cc.used) && eb_gettag(crtlist->entries.b[EB_RGHT])) {
+ memprintf(&err, "this is a directory, SSL configuration, crt-store keywords and filters are not allowed");
goto error;
}
return 0;
error:
+ ckch_conf_clean(&cc);
crtlist_entry_free(entry);
HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
err = memprintf(&err, "Can't edit the crt-list: %s\n", err ? err : "");
return 0;
}
-int ocsp_update_init(void *value, char *buf, struct ckch_data *d, char **err)
+int ocsp_update_init(void *value, char *buf, struct ckch_data *d, int cli, char **err)
{
int ocsp_update_mode = *(int *)value;
int ret = 0;
projects / thirdparty / haproxy.git / commitdiff
