summaryrefslogtreecommitdiffstats
path: root/src/plugins
diff options
context:
space:
mode:
authorNathan Skrzypczak <nathan.skrzypczak@gmail.com>2019-09-13 11:08:13 +0200
committerFlorin Coras <florin.coras@gmail.com>2019-10-09 01:09:11 +0000
commit79f89537c6fd3baeac03354a3381f42895fe2ca8 (patch)
tree967f83e5a26a4fcfb7857c122d2217a1094f9942 /src/plugins
parentff5a9b6ecd744ff5c42e6c2388dd31a338ea6a0c (diff)
session: Add certificate store
Type: feature This changes the behavior of both API calls APPLICATION_TLS_CERT_ADD & APPLICATION_TLS_KEY_ADD certificates and keys aren't bound to an app, they are passed to it via connect / listen using the message queue. This should be followed by a per protocol (QUIC/TLS) crypto_context store to save devrived structs Change-Id: I36873bc8b63b5c72776c69e8cd9febc9cae31882 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
Diffstat (limited to 'src/plugins')
-rw-r--r--src/plugins/quic/quic.c18
-rw-r--r--src/plugins/quic/quic.h3
-rw-r--r--src/plugins/tlsmbedtls/tls_mbedtls.c18
-rw-r--r--src/plugins/tlsopenssl/tls_openssl.c14
4 files changed, 25 insertions, 28 deletions
diff --git a/src/plugins/quic/quic.c b/src/plugins/quic/quic.c
index e9df9ff5025..6648a413e65 100644
--- a/src/plugins/quic/quic.c
+++ b/src/plugins/quic/quic.c
@@ -855,11 +855,12 @@ quic_encrypt_ticket_cb (ptls_encrypt_ticket_t * _self, ptls_t * tls,
}
static void
-quic_store_quicly_ctx (application_t * app, u8 is_client)
+quic_store_quicly_ctx (application_t * app, u32 cert_key_index)
{
quic_main_t *qm = &quic_main;
quicly_context_t *quicly_ctx;
ptls_iovec_t key_vec;
+ app_cert_key_pair_t *ckpair;
if (app->quicly_ctx)
return;
@@ -910,16 +911,15 @@ quic_store_quicly_ctx (application_t * app, u8 is_client)
quicly_new_default_cid_encryptor (&ptls_openssl_bfecb,
&ptls_openssl_aes128ecb,
&ptls_openssl_sha256, key_vec);
- if (is_client)
- return;
- if (app->tls_key != NULL && app->tls_cert != NULL)
+
+ ckpair = app_cert_key_pair_get_if_valid (cert_key_index);
+ if (ckpair && ckpair->key != NULL && ckpair->cert != NULL)
{
- if (load_bio_private_key (quicly_ctx->tls, (char *) app->tls_key))
+ if (load_bio_private_key (quicly_ctx->tls, (char *) ckpair->key))
{
QUIC_DBG (1, "failed to read private key from app configuration\n");
}
- if (load_bio_certificate_chain (quicly_ctx->tls,
- (char *) app->tls_cert))
+ if (load_bio_certificate_chain (quicly_ctx->tls, (char *) ckpair->cert))
{
QUIC_DBG (1, "failed to load certificate\n");
}
@@ -1071,7 +1071,7 @@ quic_connect_connection (session_endpoint_cfg_t * sep)
ctx->parent_app_id = app_wrk->app_index;
cargs->sep_ext.ns_index = app->ns_index;
- quic_store_quicly_ctx (app, 1 /* is client */ );
+ quic_store_quicly_ctx (app, ctx->ckpair_index);
/* Also store it in ctx for convenience
* Waiting for crypto_ctx logic */
ctx->quicly_ctx = (quicly_context_t *) app->quicly_ctx;
@@ -1163,7 +1163,7 @@ quic_start_listen (u32 quic_listen_session_index, transport_endpoint_t * tep)
app = application_get (app_wrk->app_index);
QUIC_DBG (2, "Called quic_start_listen for app %d", app_wrk->app_index);
- quic_store_quicly_ctx (app, 0 /* is_client */ );
+ quic_store_quicly_ctx (app, sep->ckpair_index);
sep->transport_proto = TRANSPORT_PROTO_UDPC;
clib_memset (args, 0, sizeof (*args));
diff --git a/src/plugins/quic/quic.h b/src/plugins/quic/quic.h
index 312ffcba1cb..85c78dd7871 100644
--- a/src/plugins/quic/quic.h
+++ b/src/plugins/quic/quic.h
@@ -121,8 +121,9 @@ typedef struct quic_ctx_
u32 timer_handle;
u32 parent_app_wrk_id;
u32 parent_app_id;
- u8 flags;
+ u32 ckpair_index;
quicly_context_t *quicly_ctx;
+ u8 flags;
} quic_ctx_t;
/* Make sure our custom fields don't overlap with the fields we use in
diff --git a/src/plugins/tlsmbedtls/tls_mbedtls.c b/src/plugins/tlsmbedtls/tls_mbedtls.c
index 73112323f0e..7a2abaf39b9 100644
--- a/src/plugins/tlsmbedtls/tls_mbedtls.c
+++ b/src/plugins/tlsmbedtls/tls_mbedtls.c
@@ -276,8 +276,7 @@ mbedtls_ctx_init_server (tls_ctx_t * ctx)
{
mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx;
mbedtls_main_t *mm = &mbedtls_main;
- app_worker_t *app_wrk;
- application_t *app;
+ app_cert_key_pair_t *ckpair;
void *ctx_ptr;
int rv;
@@ -289,12 +288,11 @@ mbedtls_ctx_init_server (tls_ctx_t * ctx)
/*
* 1. Cert
*/
- app_wrk = app_worker_get (ctx->parent_app_wrk_index);
- if (!app_wrk)
+ ckpair = app_cert_key_pair_get_if_valid (ctx->ckpair_index);
+ if (!ckpair)
return -1;
- app = application_get (app_wrk->app_index);
- if (!app->tls_cert || !app->tls_key)
+ if (!ckpair->cert || !ckpair->key)
{
TLS_DBG (1, " failed\n ! tls cert and/or key not configured %d",
ctx->parent_app_wrk_index);
@@ -302,8 +300,8 @@ mbedtls_ctx_init_server (tls_ctx_t * ctx)
}
rv = mbedtls_x509_crt_parse (&mc->srvcert,
- (const unsigned char *) app->tls_cert,
- vec_len (app->tls_cert));
+ (const unsigned char *) ckpair->cert,
+ vec_len (ckpair->cert));
if (rv != 0)
{
TLS_DBG (1, " failed\n ! mbedtls_x509_crt_parse returned %d", rv);
@@ -311,8 +309,8 @@ mbedtls_ctx_init_server (tls_ctx_t * ctx)
}
rv = mbedtls_pk_parse_key (&mc->pkey,
- (const unsigned char *) app->tls_key,
- vec_len (app->tls_key), NULL, 0);
+ (const unsigned char *) ckpair->key,
+ vec_len (ckpair->key), NULL, 0);
if (rv != 0)
{
TLS_DBG (1, " failed\n ! mbedtls_pk_parse_key returned %d", rv);
diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c
index 589d76de860..c383cf3561d 100644
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@@ -592,7 +592,6 @@ openssl_ctx_init_client (tls_ctx_t * ctx)
static int
openssl_start_listen (tls_ctx_t * lctx)
{
- application_t *app;
const SSL_METHOD *method;
SSL_CTX *ssl_ctx;
int rv;
@@ -601,17 +600,16 @@ openssl_start_listen (tls_ctx_t * lctx)
EVP_PKEY *pkey;
u32 olc_index;
openssl_listen_ctx_t *olc;
- app_worker_t *app_wrk;
+ app_cert_key_pair_t *ckpair;
long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
openssl_main_t *om = &openssl_main;
- app_wrk = app_worker_get (lctx->parent_app_wrk_index);
- if (!app_wrk)
+ ckpair = app_cert_key_pair_get_if_valid (lctx->ckpair_index);
+ if (!ckpair)
return -1;
- app = application_get (app_wrk->app_index);
- if (!app->tls_cert || !app->tls_key)
+ if (!ckpair->cert || !ckpair->key)
{
TLS_DBG (1, "tls cert and/or key not configured %d",
lctx->parent_app_wrk_index);
@@ -646,7 +644,7 @@ openssl_start_listen (tls_ctx_t * lctx)
* Set the key and cert
*/
cert_bio = BIO_new (BIO_s_mem ());
- BIO_write (cert_bio, app->tls_cert, vec_len (app->tls_cert));
+ BIO_write (cert_bio, ckpair->cert, vec_len (ckpair->cert));
srvcert = PEM_read_bio_X509 (cert_bio, NULL, NULL, NULL);
if (!srvcert)
{
@@ -657,7 +655,7 @@ openssl_start_listen (tls_ctx_t * lctx)
BIO_free (cert_bio);
cert_bio = BIO_new (BIO_s_mem ());
- BIO_write (cert_bio, app->tls_key, vec_len (app->tls_key));
+ BIO_write (cert_bio, ckpair->key, vec_len (ckpair->key));
pkey = PEM_read_bio_PrivateKey (cert_bio, NULL, NULL, NULL);
if (!pkey)
{