mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-08 08:07:10 +02:00
Code Issues Projects Releases Wiki Activity

REORG: cli: move ssl CLI functions to ssl_sock.c

Browse Source 
Move ssl CLI functions to ssl_sock.c and use the cli keyword API to
register ssl actions on the CLI.
This commit is contained in:
William Lallemand 2016-10-29 18:09:35 +02:00 committed by Willy Tarreau
parent 9ed6203aef
commit 32af203b75
3 changed files with 272 additions and 273 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/types/cli.h
View File

@ -121,8 +121,6 @@ enum {
STAT_CLI_O_PAT, /* list all entries of a pattern */ STAT_CLI_O_PAT, /* list all entries of a pattern */
STAT_CLI_O_MLOOK, /* lookup a map entry */ STAT_CLI_O_MLOOK, /* lookup a map entry */
STAT_CLI_O_POOLS, /* dump memory pools */ STAT_CLI_O_POOLS, /* dump memory pools */
STAT_CLI_O_TLSK, /* list all TLS ticket keys references */
STAT_CLI_O_TLSK_ENT, /* list all TLS ticket keys entries for a reference */
STAT_CLI_O_RESOLVERS,/* dump a resolver's section nameservers counters */ STAT_CLI_O_RESOLVERS,/* dump a resolver's section nameservers counters */
STAT_CLI_O_SERVERS_STATE, /* dump server state and changing information */ STAT_CLI_O_SERVERS_STATE, /* dump server state and changing information */
STAT_CLI_O_BACKEND, /* dump backend list */ STAT_CLI_O_BACKEND, /* dump backend list */

272
src/cli.c
View File

@ -146,9 +146,6 @@ static int stats_dump_resolvers_to_buffer(struct stream_interface *si);
static int stats_pats_list(struct stream_interface *si); static int stats_pats_list(struct stream_interface *si);
static int stats_pat_list(struct stream_interface *si); static int stats_pat_list(struct stream_interface *si);
static int stats_map_lookup(struct stream_interface *si); static int stats_map_lookup(struct stream_interface *si);
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
static int stats_tlskeys_list(struct stream_interface *si);
#endif
static int dump_servers_state(struct stream_interface *si, struct chunk *buf); static int dump_servers_state(struct stream_interface *si, struct chunk *buf);
@ -193,10 +190,6 @@ static const char stats_sock_usage_msg[] =
" add map : add map entry\n" " add map : add map entry\n"
" del map : delete map entry\n" " del map : delete map entry\n"
" clear map <id> : clear the content of this map\n" " clear map <id> : clear the content of this map\n"
" set ssl <stmt> : set statement for ssl\n"
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
" show tls-keys [id|*]: show tls keys references or dump tls ticket keys when id specified\n"
#endif
""; "";
static const char stats_permission_denied_msg[] = static const char stats_permission_denied_msg[] =
@ -999,50 +992,6 @@ static struct server *expect_server_admin(struct stream *s, struct stream_interf
return sv; return sv;
} }
/* This function is used with TLS ticket keys management. It permits to browse
* each reference. The variable <getnext> must contain the current node,
* <end> point to the root node.
*/
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
static inline
struct tls_keys_ref *tlskeys_list_get_next(struct tls_keys_ref *getnext, struct list *end)
{
struct tls_keys_ref *ref = getnext;
while (1) {
/* Get next list entry. */
ref = LIST_NEXT(&ref->list, struct tls_keys_ref *, list);
/* If the entry is the last of the list, return NULL. */
if (&ref->list == end)
return NULL;
return ref;
}
}
static inline
struct tls_keys_ref *tlskeys_ref_lookup_ref(const char *reference)
{
int id;
char *error;
/* If the reference starts by a '#', this is numeric id. */
if (reference[0] == '#') {
/* Try to convert the numeric id. If the conversion fails, the lookup fails. */
id = strtol(reference + 1, &error, 10);
if (*error != '\0')
return NULL;
/* Perform the unique id lookup. */
return tlskeys_ref_lookupid(id);
}
/* Perform the string lookup. */
return tlskeys_ref_lookup(reference);
}
#endif
/* This function is used with map and acl management. It permits to browse /* This function is used with map and acl management. It permits to browse
* each reference. The variable <getnext> must contain the current node, * each reference. The variable <getnext> must contain the current node,
@ -1308,39 +1257,6 @@ static int stats_sock_parse_request(struct stream_interface *si, char *line)
else if (strcmp(args[1], "table") == 0) { else if (strcmp(args[1], "table") == 0) {
stats_sock_table_request(si, args, STAT_CLI_O_TAB); stats_sock_table_request(si, args, STAT_CLI_O_TAB);
} }
else if (strcmp(args[1], "tls-keys") == 0) {
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
appctx->ctx.tlskeys.dump_all = 0;
/* no parameter, shows only file list */
if (!*args[2]) {
appctx->ctx.tlskeys.dump_all = 1;
appctx->st2 = STAT_ST_INIT;
appctx->st0 = STAT_CLI_O_TLSK;
return 1;
}
if (args[2][0] == '*') {
/* list every TLS ticket keys */
appctx->ctx.tlskeys.ref = NULL;
appctx->ctx.tlskeys.dump_all = 1;
} else {
appctx->ctx.tlskeys.ref = tlskeys_ref_lookup_ref(args[2]);
if(!appctx->ctx.tlskeys.ref) {
appctx->ctx.cli.msg = "'show tls-keys' unable to locate referenced filename\n";
appctx->st0 = STAT_CLI_PRINT;
return 1;
}
}
appctx->st2 = STAT_ST_INIT;
appctx->st0 = STAT_CLI_O_TLSK_ENT;
#else
appctx->ctx.cli.msg = "HAProxy was compiled against a version of OpenSSL "
"that doesn't support specifying TLS ticket keys\n";
appctx->st0 = STAT_CLI_PRINT;
#endif
return 1;
}
else if (strcmp(args[1], "map") == 0 || else if (strcmp(args[1], "map") == 0 ||
strcmp(args[1], "acl") == 0) { strcmp(args[1], "acl") == 0) {
@ -2032,88 +1948,7 @@ static int stats_sock_parse_request(struct stream_interface *si, char *line)
/* The set is done, send message. */ /* The set is done, send message. */
appctx->st0 = STAT_CLI_PROMPT; appctx->st0 = STAT_CLI_PROMPT;
return 1; return 1;
} } else { /* unknown "set" parameter */
#ifdef USE_OPENSSL
else if (strcmp(args[1], "ssl") == 0) {
if (strcmp(args[2], "ocsp-response") == 0) {
#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
char *err = NULL;
/* Expect one parameter: the new response in base64 encoding */
if (!*args[3]) {
appctx->ctx.cli.msg = "'set ssl ocsp-response' expects response in base64 encoding.\n";
appctx->st0 = STAT_CLI_PRINT;
return 1;
}
trash.len = base64dec(args[3], strlen(args[3]), trash.str, trash.size);
if (trash.len < 0) {
appctx->ctx.cli.msg = "'set ssl ocsp-response' received invalid base64 encoded response.\n";
appctx->st0 = STAT_CLI_PRINT;
return 1;
}
if (ssl_sock_update_ocsp_response(&trash, &err)) {
if (err) {
memprintf(&err, "%s.\n", err);
appctx->ctx.cli.err = err;
appctx->st0 = STAT_CLI_PRINT_FREE;
}
return 1;
}
appctx->ctx.cli.msg = "OCSP Response updated!";
appctx->st0 = STAT_CLI_PRINT;
return 1;
#else
appctx->ctx.cli.msg = "HAProxy was compiled against a version of OpenSSL that doesn't support OCSP stapling.\n";
appctx->st0 = STAT_CLI_PRINT;
return 1;
#endif
}
else if (strcmp(args[2], "tls-key") == 0) {
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
/* Expect two parameters: the filename and the new new TLS key in encoding */
if (!*args[3] || !*args[4]) {
appctx->ctx.cli.msg = "'set ssl tls-key' expects a filename and the new TLS key in base64 encoding.\n";
appctx->st0 = STAT_CLI_PRINT;
return 1;
}
appctx->ctx.tlskeys.ref = tlskeys_ref_lookup_ref(args[3]);
if(!appctx->ctx.tlskeys.ref) {
appctx->ctx.cli.msg = "'set ssl tls-key' unable to locate referenced filename\n";
appctx->st0 = STAT_CLI_PRINT;
return 1;
}
trash.len = base64dec(args[4], strlen(args[4]), trash.str, trash.size);
if (trash.len != sizeof(struct tls_sess_key)) {
appctx->ctx.cli.msg = "'set ssl tls-key' received invalid base64 encoded TLS key.\n";
appctx->st0 = STAT_CLI_PRINT;
return 1;
}
memcpy(appctx->ctx.tlskeys.ref->tlskeys + ((appctx->ctx.tlskeys.ref->tls_ticket_enc_index + 2) % TLS_TICKETS_NO), trash.str, trash.len);
appctx->ctx.tlskeys.ref->tls_ticket_enc_index = (appctx->ctx.tlskeys.ref->tls_ticket_enc_index + 1) % TLS_TICKETS_NO;
appctx->ctx.cli.msg = "TLS ticket key updated!";
appctx->st0 = STAT_CLI_PRINT;
return 1;
#else
appctx->ctx.cli.msg = "HAProxy was compiled against a version of OpenSSL "
"that doesn't support specifying TLS ticket keys\n";
appctx->st0 = STAT_CLI_PRINT;
return 1;
#endif
}
else {
appctx->ctx.cli.msg = "'set ssl' only supports 'ocsp-response'.\n";
appctx->st0 = STAT_CLI_PRINT;
return 1;
}
}
#endif
else { /* unknown "set" parameter */
return 0; return 0;
} }
} }
@ -2690,16 +2525,6 @@ static void cli_io_handler(struct appctx *appctx)
if (stats_dump_pools_to_buffer(si)) if (stats_dump_pools_to_buffer(si))
appctx->st0 = STAT_CLI_PROMPT; appctx->st0 = STAT_CLI_PROMPT;
break; break;
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
case STAT_CLI_O_TLSK:
if (stats_tlskeys_list(si))
appctx->st0 = STAT_CLI_PROMPT;
break;
case STAT_CLI_O_TLSK_ENT:
if (stats_tlskeys_list(si))
appctx->st0 = STAT_CLI_PROMPT;
break;
#endif
case STAT_CLI_O_ENV: /* environment dump */ case STAT_CLI_O_ENV: /* environment dump */
if (stats_dump_env_to_buffer(si)) if (stats_dump_env_to_buffer(si))
appctx->st0 = STAT_CLI_PROMPT; appctx->st0 = STAT_CLI_PROMPT;
@ -3457,101 +3282,6 @@ static int stats_dump_full_sess_to_buffer(struct stream_interface *si, struct st
return 1; return 1;
} }
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
static int stats_tlskeys_list(struct stream_interface *si) {
struct appctx *appctx = __objt_appctx(si->end);
switch (appctx->st2) {
case STAT_ST_INIT:
/* Display the column headers. If the message cannot be sent,
* quit the fucntion with returning 0. The function is called
* later and restart at the state "STAT_ST_INIT".
*/
chunk_reset(&trash);
if (appctx->st0 == STAT_CLI_O_TLSK_ENT)
chunk_appendf(&trash, "# id secret\n");
else
chunk_appendf(&trash, "# id (file)\n");
if (bi_putchk(si_ic(si), &trash) == -1) {
si_applet_cant_put(si);
return 0;
}
appctx->ctx.tlskeys.dump_keys_index = 0;
/* Now, we start the browsing of the references lists.
* Note that the following call to LIST_ELEM return bad pointer. The only
* available field of this pointer is <list>. It is used with the function
* tlskeys_list_get_next() for retruning the first available entry
*/
if (appctx->ctx.tlskeys.ref == NULL) {
appctx->ctx.tlskeys.ref = LIST_ELEM(&tlskeys_reference, struct tls_keys_ref *, list);
appctx->ctx.tlskeys.ref = tlskeys_list_get_next(appctx->ctx.tlskeys.ref, &tlskeys_reference);
}
appctx->st2 = STAT_ST_LIST;
/* fall through */
case STAT_ST_LIST:
while (appctx->ctx.tlskeys.ref) {
int head = appctx->ctx.tlskeys.ref->tls_ticket_enc_index;
chunk_reset(&trash);
if (appctx->st0 == STAT_CLI_O_TLSK_ENT && appctx->ctx.tlskeys.dump_keys_index == 0)
chunk_appendf(&trash, "# ");
if (appctx->ctx.tlskeys.dump_keys_index == 0)
chunk_appendf(&trash, "%d (%s)\n", appctx->ctx.tlskeys.ref->unique_id,
appctx->ctx.tlskeys.ref->filename);
if (appctx->st0 == STAT_CLI_O_TLSK_ENT) {
while (appctx->ctx.tlskeys.dump_keys_index < TLS_TICKETS_NO) {
struct chunk *t2 = get_trash_chunk();
chunk_reset(t2);
/* should never fail here because we dump only a key in the t2 buffer */
t2->len = a2base64((char *)(appctx->ctx.tlskeys.ref->tlskeys + (head + 2 + appctx->ctx.tlskeys.dump_keys_index) % TLS_TICKETS_NO),
sizeof(struct tls_sess_key), t2->str, t2->size);
chunk_appendf(&trash, "%d.%d %s\n", appctx->ctx.tlskeys.ref->unique_id, appctx->ctx.tlskeys.dump_keys_index, t2->str);
if (bi_putchk(si_ic(si), &trash) == -1) {
/* let's try again later from this stream. We add ourselves into
* this stream's users so that it can remove us upon termination.
*/
si_applet_cant_put(si);
return 0;
}
appctx->ctx.tlskeys.dump_keys_index++;
}
appctx->ctx.tlskeys.dump_keys_index = 0;
}
if (bi_putchk(si_ic(si), &trash) == -1) {
/* let's try again later from this stream. We add ourselves into
* this stream's users so that it can remove us upon termination.
*/
si_applet_cant_put(si);
return 0;
}
if (appctx->ctx.tlskeys.dump_all == 0) /* don't display everything if not necessary */
break;
/* get next list entry and check the end of the list */
appctx->ctx.tlskeys.ref = tlskeys_list_get_next(appctx->ctx.tlskeys.ref, &tlskeys_reference);
}
appctx->st2 = STAT_ST_FIN;
/* fall through */
default:
appctx->st2 = STAT_ST_FIN;
return 1;
}
return 0;
}
#endif
static int stats_pats_list(struct stream_interface *si) static int stats_pats_list(struct stream_interface *si)
{ {
struct appctx *appctx = __objt_appctx(si->end); struct appctx *appctx = __objt_appctx(si->end);

271
src/ssl_sock.c
View File

@ -69,12 +69,17 @@
#include <ebsttree.h> #include <ebsttree.h>
#include <types/applet.h>
#include <types/cli.h>
#include <types/global.h> #include <types/global.h>
#include <types/ssl_sock.h> #include <types/ssl_sock.h>
#include <types/stats.h>
#include <proto/acl.h> #include <proto/acl.h>
#include <proto/arg.h> #include <proto/arg.h>
#include <proto/channel.h>
#include <proto/connection.h> #include <proto/connection.h>
#include <proto/cli.h>
#include <proto/fd.h> #include <proto/fd.h>
#include <proto/freq_ctr.h> #include <proto/freq_ctr.h>
#include <proto/frontend.h> #include <proto/frontend.h>
@ -83,6 +88,7 @@
#include <proto/pattern.h> #include <proto/pattern.h>
#include <proto/proto_tcp.h> #include <proto/proto_tcp.h>
#include <proto/server.h> #include <proto/server.h>
#include <proto/stream_interface.h>
#include <proto/log.h> #include <proto/log.h>
#include <proto/proxy.h> #include <proto/proxy.h>
#include <proto/shctx.h> #include <proto/shctx.h>
@ -5977,6 +5983,270 @@ static int ssl_parse_default_server_options(char **args, int section_type, struc
return 0; return 0;
} }
/* This function is used with TLS ticket keys management. It permits to browse
* each reference. The variable <getnext> must contain the current node,
* <end> point to the root node.
*/
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
static inline
struct tls_keys_ref *tlskeys_list_get_next(struct tls_keys_ref *getnext, struct list *end)
{
struct tls_keys_ref *ref = getnext;
while (1) {
/* Get next list entry. */
ref = LIST_NEXT(&ref->list, struct tls_keys_ref *, list);
/* If the entry is the last of the list, return NULL. */
if (&ref->list == end)
return NULL;
return ref;
}
}
static inline
struct tls_keys_ref *tlskeys_ref_lookup_ref(const char *reference)
{
int id;
char *error;
/* If the reference starts by a '#', this is numeric id. */
if (reference[0] == '#') {
/* Try to convert the numeric id. If the conversion fails, the lookup fails. */
id = strtol(reference + 1, &error, 10);
if (*error != '\0')
return NULL;
/* Perform the unique id lookup. */
return tlskeys_ref_lookupid(id);
}
/* Perform the string lookup. */
return tlskeys_ref_lookup(reference);
}
#endif
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
static int cli_io_handler_tlskeys_files(struct appctx *appctx);
static inline int cli_io_handler_tlskeys_entries(struct appctx *appctx) {
return cli_io_handler_tlskeys_files(appctx);
}
static int cli_io_handler_tlskeys_files(struct appctx *appctx) {
struct stream_interface *si = appctx->owner;
switch (appctx->st2) {
case STAT_ST_INIT:
/* Display the column headers. If the message cannot be sent,
* quit the fucntion with returning 0. The function is called
* later and restart at the state "STAT_ST_INIT".
*/
chunk_reset(&trash);
if (appctx->io_handler == cli_io_handler_tlskeys_entries)
chunk_appendf(&trash, "# id secret\n");
else
chunk_appendf(&trash, "# id (file)\n");
if (bi_putchk(si_ic(si), &trash) == -1) {
si_applet_cant_put(si);
return 0;
}
appctx->ctx.tlskeys.dump_keys_index = 0;
/* Now, we start the browsing of the references lists.
* Note that the following call to LIST_ELEM return bad pointer. The only
* available field of this pointer is <list>. It is used with the function
* tlskeys_list_get_next() for retruning the first available entry
*/
if (appctx->ctx.tlskeys.ref == NULL) {
appctx->ctx.tlskeys.ref = LIST_ELEM(&tlskeys_reference, struct tls_keys_ref *, list);
appctx->ctx.tlskeys.ref = tlskeys_list_get_next(appctx->ctx.tlskeys.ref, &tlskeys_reference);
}
appctx->st2 = STAT_ST_LIST;
/* fall through */
case STAT_ST_LIST:
while (appctx->ctx.tlskeys.ref) {
int head = appctx->ctx.tlskeys.ref->tls_ticket_enc_index;
chunk_reset(&trash);
if (appctx->io_handler == cli_io_handler_tlskeys_entries && appctx->ctx.tlskeys.dump_keys_index == 0)
chunk_appendf(&trash, "# ");
if (appctx->ctx.tlskeys.dump_keys_index == 0)
chunk_appendf(&trash, "%d (%s)\n", appctx->ctx.tlskeys.ref->unique_id,
appctx->ctx.tlskeys.ref->filename);
if (appctx->io_handler == cli_io_handler_tlskeys_entries) {
while (appctx->ctx.tlskeys.dump_keys_index < TLS_TICKETS_NO) {
struct chunk *t2 = get_trash_chunk();
chunk_reset(t2);
/* should never fail here because we dump only a key in the t2 buffer */
t2->len = a2base64((char *)(appctx->ctx.tlskeys.ref->tlskeys + (head + 2 + appctx->ctx.tlskeys.dump_keys_index) % TLS_TICKETS_NO),
sizeof(struct tls_sess_key), t2->str, t2->size);
chunk_appendf(&trash, "%d.%d %s\n", appctx->ctx.tlskeys.ref->unique_id, appctx->ctx.tlskeys.dump_keys_index, t2->str);
if (bi_putchk(si_ic(si), &trash) == -1) {
/* let's try again later from this stream. We add ourselves into
* this stream's users so that it can remove us upon termination.
*/
si_applet_cant_put(si);
return 0;
}
appctx->ctx.tlskeys.dump_keys_index++;
}
appctx->ctx.tlskeys.dump_keys_index = 0;
}
if (bi_putchk(si_ic(si), &trash) == -1) {
/* let's try again later from this stream. We add ourselves into
* this stream's users so that it can remove us upon termination.
*/
si_applet_cant_put(si);
return 0;
}
if (appctx->ctx.tlskeys.dump_all == 0) /* don't display everything if not necessary */
break;
/* get next list entry and check the end of the list */
appctx->ctx.tlskeys.ref = tlskeys_list_get_next(appctx->ctx.tlskeys.ref, &tlskeys_reference);
}
appctx->st2 = STAT_ST_FIN;
/* fall through */
default:
appctx->st2 = STAT_ST_FIN;
return 1;
}
return 0;
}
#endif
static int cli_parse_show_tlskeys(char **args, struct appctx *appctx, void *private)
{
appctx->ctx.tlskeys.dump_all = 0;
/* no parameter, shows only file list */
if (!*args[2]) {
appctx->ctx.tlskeys.dump_all = 1;
appctx->st2 = STAT_ST_INIT;
appctx->st0 = STAT_CLI_O_CUSTOM;
appctx->io_handler = cli_io_handler_tlskeys_files;
return 1;
}
if (args[2][0] == '*') {
/* list every TLS ticket keys */
appctx->ctx.tlskeys.ref = NULL;
appctx->ctx.tlskeys.dump_all = 1;
} else {
appctx->ctx.tlskeys.ref = tlskeys_ref_lookup_ref(args[2]);
if(!appctx->ctx.tlskeys.ref) {
appctx->ctx.cli.msg = "'show tls-keys' unable to locate referenced filename\n";
appctx->st0 = STAT_CLI_PRINT;
return 1;
}
}
appctx->st2 = STAT_ST_INIT;
appctx->st0 = STAT_CLI_O_CUSTOM;
appctx->io_handler = cli_io_handler_tlskeys_entries;
return 1;
}
static int cli_parse_set_tlskeys(char **args, struct appctx *appctx, void *private)
{
/* Expect two parameters: the filename and the new new TLS key in encoding */
if (!*args[3] || !*args[4]) {
appctx->ctx.cli.msg = "'set ssl tls-key' expects a filename and the new TLS key in base64 encoding.\n";
appctx->st0 = STAT_CLI_PRINT;
return 1;
}
appctx->ctx.tlskeys.ref = tlskeys_ref_lookup_ref(args[3]);
if(!appctx->ctx.tlskeys.ref) {
appctx->ctx.cli.msg = "'set ssl tls-key' unable to locate referenced filename\n";
appctx->st0 = STAT_CLI_PRINT;
return 1;
}
trash.len = base64dec(args[4], strlen(args[4]), trash.str, trash.size);
if (trash.len != sizeof(struct tls_sess_key)) {
appctx->ctx.cli.msg = "'set ssl tls-key' received invalid base64 encoded TLS key.\n";
appctx->st0 = STAT_CLI_PRINT;
return 1;
}
memcpy(appctx->ctx.tlskeys.ref->tlskeys + ((appctx->ctx.tlskeys.ref->tls_ticket_enc_index + 2) % TLS_TICKETS_NO), trash.str, trash.len);
appctx->ctx.tlskeys.ref->tls_ticket_enc_index = (appctx->ctx.tlskeys.ref->tls_ticket_enc_index + 1) % TLS_TICKETS_NO;
appctx->ctx.cli.msg = "TLS ticket key updated!";
appctx->st0 = STAT_CLI_PRINT;
return 1;
}
static int cli_parse_set_ocspresponse(char **args, struct appctx *appctx, void *private)
{
#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
char *err = NULL;
/* Expect one parameter: the new response in base64 encoding */
if (!*args[3]) {
appctx->ctx.cli.msg = "'set ssl ocsp-response' expects response in base64 encoding.\n";
appctx->st0 = STAT_CLI_PRINT;
return 1;
}
trash.len = base64dec(args[3], strlen(args[3]), trash.str, trash.size);
if (trash.len < 0) {
appctx->ctx.cli.msg = "'set ssl ocsp-response' received invalid base64 encoded response.\n";
appctx->st0 = STAT_CLI_PRINT;
return 1;
}
if (ssl_sock_update_ocsp_response(&trash, &err)) {
if (err) {
memprintf(&err, "%s.\n", err);
appctx->ctx.cli.err = err;
appctx->st0 = STAT_CLI_PRINT_FREE;
}
return 1;
}
appctx->ctx.cli.msg = "OCSP Response updated!";
appctx->st0 = STAT_CLI_PRINT;
return 1;
#else
appctx->ctx.cli.msg = "HAProxy was compiled against a version of OpenSSL that doesn't support OCSP stapling.\n";
appctx->st0 = STAT_CLI_PRINT;
return 1;
#endif
}
/* register cli keywords */
static struct cli_kw_list cli_kws = {{ },{
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
{ { "show", "tls-keys", NULL }, "show tls-keys [id|*]: show tls keys references or dump tls ticket keys when id specified", cli_parse_show_tlskeys, NULL },
{ { "set", "ssl", "tls-keys", NULL }, NULL, cli_parse_set_tlskeys, NULL },
{ { "set", "ssl", "ocsp-response", NULL }, NULL, cli_parse_set_ocspresponse, NULL },
#endif
{ { NULL }, NULL, NULL, NULL }
}};
/* Note: must not be declared <const> as its list will be overwritten. /* Note: must not be declared <const> as its list will be overwritten.
* Please take care of keeping this list alphabetically sorted. * Please take care of keeping this list alphabetically sorted.
*/ */
@ -6171,6 +6441,7 @@ static void __ssl_sock_init(void)
bind_register_keywords(&bind_kws); bind_register_keywords(&bind_kws);
srv_register_keywords(&srv_kws); srv_register_keywords(&srv_kws);
cfg_register_keywords(&cfg_kws); cfg_register_keywords(&cfg_kws);
cli_register_kw(&cli_kws);
global.ssl_session_max_cost = SSL_SESSION_MAX_COST; global.ssl_session_max_cost = SSL_SESSION_MAX_COST;
global.ssl_handshake_max_cost = SSL_HANDSHAKE_MAX_COST; global.ssl_handshake_max_cost = SSL_HANDSHAKE_MAX_COST;