diff options
author | Nathan Skrzypczak <nathan.skrzypczak@gmail.com> | 2019-09-13 11:08:13 +0200 |
---|---|---|
committer | Florin Coras <florin.coras@gmail.com> | 2019-10-09 01:09:11 +0000 |
commit | 79f89537c6fd3baeac03354a3381f42895fe2ca8 (patch) | |
tree | 967f83e5a26a4fcfb7857c122d2217a1094f9942 /src/plugins | |
parent | ff5a9b6ecd744ff5c42e6c2388dd31a338ea6a0c (diff) |
session: Add certificate store
Type: feature
This changes the behavior of both API calls
APPLICATION_TLS_CERT_ADD & APPLICATION_TLS_KEY_ADD
certificates and keys aren't bound to an app, they are
passed to it via connect / listen using the message
queue.
This should be followed by a per protocol (QUIC/TLS)
crypto_context store to save devrived structs
Change-Id: I36873bc8b63b5c72776c69e8cd9febc9cae31882
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
Diffstat (limited to 'src/plugins')
-rw-r--r-- | src/plugins/quic/quic.c | 18 | ||||
-rw-r--r-- | src/plugins/quic/quic.h | 3 | ||||
-rw-r--r-- | src/plugins/tlsmbedtls/tls_mbedtls.c | 18 | ||||
-rw-r--r-- | src/plugins/tlsopenssl/tls_openssl.c | 14 |
4 files changed, 25 insertions, 28 deletions
diff --git a/src/plugins/quic/quic.c b/src/plugins/quic/quic.c index e9df9ff5025..6648a413e65 100644 --- a/src/plugins/quic/quic.c +++ b/src/plugins/quic/quic.c @@ -855,11 +855,12 @@ quic_encrypt_ticket_cb (ptls_encrypt_ticket_t * _self, ptls_t * tls, } static void -quic_store_quicly_ctx (application_t * app, u8 is_client) +quic_store_quicly_ctx (application_t * app, u32 cert_key_index) { quic_main_t *qm = &quic_main; quicly_context_t *quicly_ctx; ptls_iovec_t key_vec; + app_cert_key_pair_t *ckpair; if (app->quicly_ctx) return; @@ -910,16 +911,15 @@ quic_store_quicly_ctx (application_t * app, u8 is_client) quicly_new_default_cid_encryptor (&ptls_openssl_bfecb, &ptls_openssl_aes128ecb, &ptls_openssl_sha256, key_vec); - if (is_client) - return; - if (app->tls_key != NULL && app->tls_cert != NULL) + + ckpair = app_cert_key_pair_get_if_valid (cert_key_index); + if (ckpair && ckpair->key != NULL && ckpair->cert != NULL) { - if (load_bio_private_key (quicly_ctx->tls, (char *) app->tls_key)) + if (load_bio_private_key (quicly_ctx->tls, (char *) ckpair->key)) { QUIC_DBG (1, "failed to read private key from app configuration\n"); } - if (load_bio_certificate_chain (quicly_ctx->tls, - (char *) app->tls_cert)) + if (load_bio_certificate_chain (quicly_ctx->tls, (char *) ckpair->cert)) { QUIC_DBG (1, "failed to load certificate\n"); } @@ -1071,7 +1071,7 @@ quic_connect_connection (session_endpoint_cfg_t * sep) ctx->parent_app_id = app_wrk->app_index; cargs->sep_ext.ns_index = app->ns_index; - quic_store_quicly_ctx (app, 1 /* is client */ ); + quic_store_quicly_ctx (app, ctx->ckpair_index); /* Also store it in ctx for convenience * Waiting for crypto_ctx logic */ ctx->quicly_ctx = (quicly_context_t *) app->quicly_ctx; @@ -1163,7 +1163,7 @@ quic_start_listen (u32 quic_listen_session_index, transport_endpoint_t * tep) app = application_get (app_wrk->app_index); QUIC_DBG (2, "Called quic_start_listen for app %d", app_wrk->app_index); - quic_store_quicly_ctx (app, 0 /* is_client */ ); + quic_store_quicly_ctx (app, sep->ckpair_index); sep->transport_proto = TRANSPORT_PROTO_UDPC; clib_memset (args, 0, sizeof (*args)); diff --git a/src/plugins/quic/quic.h b/src/plugins/quic/quic.h index 312ffcba1cb..85c78dd7871 100644 --- a/src/plugins/quic/quic.h +++ b/src/plugins/quic/quic.h @@ -121,8 +121,9 @@ typedef struct quic_ctx_ u32 timer_handle; u32 parent_app_wrk_id; u32 parent_app_id; - u8 flags; + u32 ckpair_index; quicly_context_t *quicly_ctx; + u8 flags; } quic_ctx_t; /* Make sure our custom fields don't overlap with the fields we use in diff --git a/src/plugins/tlsmbedtls/tls_mbedtls.c b/src/plugins/tlsmbedtls/tls_mbedtls.c index 73112323f0e..7a2abaf39b9 100644 --- a/src/plugins/tlsmbedtls/tls_mbedtls.c +++ b/src/plugins/tlsmbedtls/tls_mbedtls.c @@ -276,8 +276,7 @@ mbedtls_ctx_init_server (tls_ctx_t * ctx) { mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx; mbedtls_main_t *mm = &mbedtls_main; - app_worker_t *app_wrk; - application_t *app; + app_cert_key_pair_t *ckpair; void *ctx_ptr; int rv; @@ -289,12 +288,11 @@ mbedtls_ctx_init_server (tls_ctx_t * ctx) /* * 1. Cert */ - app_wrk = app_worker_get (ctx->parent_app_wrk_index); - if (!app_wrk) + ckpair = app_cert_key_pair_get_if_valid (ctx->ckpair_index); + if (!ckpair) return -1; - app = application_get (app_wrk->app_index); - if (!app->tls_cert || !app->tls_key) + if (!ckpair->cert || !ckpair->key) { TLS_DBG (1, " failed\n ! tls cert and/or key not configured %d", ctx->parent_app_wrk_index); @@ -302,8 +300,8 @@ mbedtls_ctx_init_server (tls_ctx_t * ctx) } rv = mbedtls_x509_crt_parse (&mc->srvcert, - (const unsigned char *) app->tls_cert, - vec_len (app->tls_cert)); + (const unsigned char *) ckpair->cert, + vec_len (ckpair->cert)); if (rv != 0) { TLS_DBG (1, " failed\n ! mbedtls_x509_crt_parse returned %d", rv); @@ -311,8 +309,8 @@ mbedtls_ctx_init_server (tls_ctx_t * ctx) } rv = mbedtls_pk_parse_key (&mc->pkey, - (const unsigned char *) app->tls_key, - vec_len (app->tls_key), NULL, 0); + (const unsigned char *) ckpair->key, + vec_len (ckpair->key), NULL, 0); if (rv != 0) { TLS_DBG (1, " failed\n ! mbedtls_pk_parse_key returned %d", rv); diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c index 589d76de860..c383cf3561d 100644 --- a/src/plugins/tlsopenssl/tls_openssl.c +++ b/src/plugins/tlsopenssl/tls_openssl.c @@ -592,7 +592,6 @@ openssl_ctx_init_client (tls_ctx_t * ctx) static int openssl_start_listen (tls_ctx_t * lctx) { - application_t *app; const SSL_METHOD *method; SSL_CTX *ssl_ctx; int rv; @@ -601,17 +600,16 @@ openssl_start_listen (tls_ctx_t * lctx) EVP_PKEY *pkey; u32 olc_index; openssl_listen_ctx_t *olc; - app_worker_t *app_wrk; + app_cert_key_pair_t *ckpair; long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION; openssl_main_t *om = &openssl_main; - app_wrk = app_worker_get (lctx->parent_app_wrk_index); - if (!app_wrk) + ckpair = app_cert_key_pair_get_if_valid (lctx->ckpair_index); + if (!ckpair) return -1; - app = application_get (app_wrk->app_index); - if (!app->tls_cert || !app->tls_key) + if (!ckpair->cert || !ckpair->key) { TLS_DBG (1, "tls cert and/or key not configured %d", lctx->parent_app_wrk_index); @@ -646,7 +644,7 @@ openssl_start_listen (tls_ctx_t * lctx) * Set the key and cert */ cert_bio = BIO_new (BIO_s_mem ()); - BIO_write (cert_bio, app->tls_cert, vec_len (app->tls_cert)); + BIO_write (cert_bio, ckpair->cert, vec_len (ckpair->cert)); srvcert = PEM_read_bio_X509 (cert_bio, NULL, NULL, NULL); if (!srvcert) { @@ -657,7 +655,7 @@ openssl_start_listen (tls_ctx_t * lctx) BIO_free (cert_bio); cert_bio = BIO_new (BIO_s_mem ()); - BIO_write (cert_bio, app->tls_key, vec_len (app->tls_key)); + BIO_write (cert_bio, ckpair->key, vec_len (ckpair->key)); pkey = PEM_read_bio_PrivateKey (cert_bio, NULL, NULL, NULL); if (!pkey) { |