From 79f89537c6fd3baeac03354a3381f42895fe2ca8 Mon Sep 17 00:00:00 2001
From: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
Date: Fri, 13 Sep 2019 11:08:13 +0200
Subject: session: Add certificate store

Type: feature

This changes the behavior of both API calls
APPLICATION_TLS_CERT_ADD & APPLICATION_TLS_KEY_ADD
certificates and keys aren't bound to an app, they are
passed to it via connect / listen using the message
queue.

This should be followed by a per protocol (QUIC/TLS)
crypto_context store to save devrived structs

Change-Id: I36873bc8b63b5c72776c69e8cd9febc9cae31882
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
---
 src/plugins/quic/quic.c              | 18 +++++++++---------
 src/plugins/quic/quic.h              |  3 ++-
 src/plugins/tlsmbedtls/tls_mbedtls.c | 18 ++++++++----------
 src/plugins/tlsopenssl/tls_openssl.c | 14 ++++++--------
 4 files changed, 25 insertions(+), 28 deletions(-)

(limited to 'src/plugins')

diff --git a/src/plugins/quic/quic.c b/src/plugins/quic/quic.c
index e9df9ff5025..6648a413e65 100644
--- a/src/plugins/quic/quic.c
+++ b/src/plugins/quic/quic.c
@@ -855,11 +855,12 @@ quic_encrypt_ticket_cb (ptls_encrypt_ticket_t * _self, ptls_t * tls,
 }
 
 static void
-quic_store_quicly_ctx (application_t * app, u8 is_client)
+quic_store_quicly_ctx (application_t * app, u32 cert_key_index)
 {
   quic_main_t *qm = &quic_main;
   quicly_context_t *quicly_ctx;
   ptls_iovec_t key_vec;
+  app_cert_key_pair_t *ckpair;
   if (app->quicly_ctx)
     return;
 
@@ -910,16 +911,15 @@ quic_store_quicly_ctx (application_t * app, u8 is_client)
     quicly_new_default_cid_encryptor (&ptls_openssl_bfecb,
 				      &ptls_openssl_aes128ecb,
 				      &ptls_openssl_sha256, key_vec);
-  if (is_client)
-    return;
-  if (app->tls_key != NULL && app->tls_cert != NULL)
+
+  ckpair = app_cert_key_pair_get_if_valid (cert_key_index);
+  if (ckpair && ckpair->key != NULL && ckpair->cert != NULL)
     {
-      if (load_bio_private_key (quicly_ctx->tls, (char *) app->tls_key))
+      if (load_bio_private_key (quicly_ctx->tls, (char *) ckpair->key))
 	{
 	  QUIC_DBG (1, "failed to read private key from app configuration\n");
 	}
-      if (load_bio_certificate_chain (quicly_ctx->tls,
-				      (char *) app->tls_cert))
+      if (load_bio_certificate_chain (quicly_ctx->tls, (char *) ckpair->cert))
 	{
 	  QUIC_DBG (1, "failed to load certificate\n");
 	}
@@ -1071,7 +1071,7 @@ quic_connect_connection (session_endpoint_cfg_t * sep)
   ctx->parent_app_id = app_wrk->app_index;
   cargs->sep_ext.ns_index = app->ns_index;
 
-  quic_store_quicly_ctx (app, 1 /* is client */ );
+  quic_store_quicly_ctx (app, ctx->ckpair_index);
   /* Also store it in ctx for convenience
    * Waiting for crypto_ctx logic */
   ctx->quicly_ctx = (quicly_context_t *) app->quicly_ctx;
@@ -1163,7 +1163,7 @@ quic_start_listen (u32 quic_listen_session_index, transport_endpoint_t * tep)
   app = application_get (app_wrk->app_index);
   QUIC_DBG (2, "Called quic_start_listen for app %d", app_wrk->app_index);
 
-  quic_store_quicly_ctx (app, 0 /* is_client */ );
+  quic_store_quicly_ctx (app, sep->ckpair_index);
 
   sep->transport_proto = TRANSPORT_PROTO_UDPC;
   clib_memset (args, 0, sizeof (*args));
diff --git a/src/plugins/quic/quic.h b/src/plugins/quic/quic.h
index 312ffcba1cb..85c78dd7871 100644
--- a/src/plugins/quic/quic.h
+++ b/src/plugins/quic/quic.h
@@ -121,8 +121,9 @@ typedef struct quic_ctx_
   u32 timer_handle;
   u32 parent_app_wrk_id;
   u32 parent_app_id;
-  u8 flags;
+  u32 ckpair_index;
   quicly_context_t *quicly_ctx;
+  u8 flags;
 } quic_ctx_t;
 
 /* Make sure our custom fields don't overlap with the fields we use in
diff --git a/src/plugins/tlsmbedtls/tls_mbedtls.c b/src/plugins/tlsmbedtls/tls_mbedtls.c
index 73112323f0e..7a2abaf39b9 100644
--- a/src/plugins/tlsmbedtls/tls_mbedtls.c
+++ b/src/plugins/tlsmbedtls/tls_mbedtls.c
@@ -276,8 +276,7 @@ mbedtls_ctx_init_server (tls_ctx_t * ctx)
 {
   mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx;
   mbedtls_main_t *mm = &mbedtls_main;
-  app_worker_t *app_wrk;
-  application_t *app;
+  app_cert_key_pair_t *ckpair;
   void *ctx_ptr;
   int rv;
 
@@ -289,12 +288,11 @@ mbedtls_ctx_init_server (tls_ctx_t * ctx)
   /*
    * 1. Cert
    */
-  app_wrk = app_worker_get (ctx->parent_app_wrk_index);
-  if (!app_wrk)
+  ckpair = app_cert_key_pair_get_if_valid (ctx->ckpair_index);
+  if (!ckpair)
     return -1;
 
-  app = application_get (app_wrk->app_index);
-  if (!app->tls_cert || !app->tls_key)
+  if (!ckpair->cert || !ckpair->key)
     {
       TLS_DBG (1, " failed\n  ! tls cert and/or key not configured %d",
 	       ctx->parent_app_wrk_index);
@@ -302,8 +300,8 @@ mbedtls_ctx_init_server (tls_ctx_t * ctx)
     }
 
   rv = mbedtls_x509_crt_parse (&mc->srvcert,
-			       (const unsigned char *) app->tls_cert,
-			       vec_len (app->tls_cert));
+			       (const unsigned char *) ckpair->cert,
+			       vec_len (ckpair->cert));
   if (rv != 0)
     {
       TLS_DBG (1, " failed\n  !  mbedtls_x509_crt_parse returned %d", rv);
@@ -311,8 +309,8 @@ mbedtls_ctx_init_server (tls_ctx_t * ctx)
     }
 
   rv = mbedtls_pk_parse_key (&mc->pkey,
-			     (const unsigned char *) app->tls_key,
-			     vec_len (app->tls_key), NULL, 0);
+			     (const unsigned char *) ckpair->key,
+			     vec_len (ckpair->key), NULL, 0);
   if (rv != 0)
     {
       TLS_DBG (1, " failed\n  !  mbedtls_pk_parse_key returned %d", rv);
diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c
index 589d76de860..c383cf3561d 100644
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@@ -592,7 +592,6 @@ openssl_ctx_init_client (tls_ctx_t * ctx)
 static int
 openssl_start_listen (tls_ctx_t * lctx)
 {
-  application_t *app;
   const SSL_METHOD *method;
   SSL_CTX *ssl_ctx;
   int rv;
@@ -601,17 +600,16 @@ openssl_start_listen (tls_ctx_t * lctx)
   EVP_PKEY *pkey;
   u32 olc_index;
   openssl_listen_ctx_t *olc;
-  app_worker_t *app_wrk;
+  app_cert_key_pair_t *ckpair;
 
   long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
   openssl_main_t *om = &openssl_main;
 
-  app_wrk = app_worker_get (lctx->parent_app_wrk_index);
-  if (!app_wrk)
+  ckpair = app_cert_key_pair_get_if_valid (lctx->ckpair_index);
+  if (!ckpair)
     return -1;
 
-  app = application_get (app_wrk->app_index);
-  if (!app->tls_cert || !app->tls_key)
+  if (!ckpair->cert || !ckpair->key)
     {
       TLS_DBG (1, "tls cert and/or key not configured %d",
 	       lctx->parent_app_wrk_index);
@@ -646,7 +644,7 @@ openssl_start_listen (tls_ctx_t * lctx)
    * Set the key and cert
    */
   cert_bio = BIO_new (BIO_s_mem ());
-  BIO_write (cert_bio, app->tls_cert, vec_len (app->tls_cert));
+  BIO_write (cert_bio, ckpair->cert, vec_len (ckpair->cert));
   srvcert = PEM_read_bio_X509 (cert_bio, NULL, NULL, NULL);
   if (!srvcert)
     {
@@ -657,7 +655,7 @@ openssl_start_listen (tls_ctx_t * lctx)
   BIO_free (cert_bio);
 
   cert_bio = BIO_new (BIO_s_mem ());
-  BIO_write (cert_bio, app->tls_key, vec_len (app->tls_key));
+  BIO_write (cert_bio, ckpair->key, vec_len (ckpair->key));
   pkey = PEM_read_bio_PrivateKey (cert_bio, NULL, NULL, NULL);
   if (!pkey)
     {
-- 
cgit 1.2.3-korg