nice, all ssl variants build well
https://travis-ci.com/github/chipitsine/haproxy/builds/174323866

вс, 5 июл. 2020 г. в 15:48, Gersner <gers...@gmail.com>:

>
>
> On Sun, Jul 5, 2020 at 1:42 PM Илья Шипицин <chipits...@gmail.com> wrote:
>
>> do you have your patches on github fork ?
>> (I could not find your fork)
>>
> Yes. See branch
> https://github.com/Azure/haproxy/tree/wip/sgersner/ca-sign-extra
>
>>
>> вс, 5 июл. 2020 г. в 15:13, Gersner <gers...@gmail.com>:
>>
>>>
>>>
>>> On Sun, Jul 5, 2020 at 12:28 PM Илья Шипицин <chipits...@gmail.com>
>>> wrote:
>>>
>>>> does it clearly applies to current master ? either gmail scrambled
>>>> patch or it is not.
>>>> can you try please ?
>>>>
>>> Exporting the eml and running 'git am' it works cleanly.
>>>
>>> I've reproduced the exact same output when copy-pasting from gmail. It
>>> seems gmail converts the tabs to spaces and this fails the patch (Not sure
>>> why).
>>> Running patch with '-l' will resolve this, but it's probably safer to
>>> run git am on the email.
>>>
>>>
>>>>
>>>> $ patch -p1 < 1.patch
>>>> patching file doc/configuration.txt
>>>> patching file include/haproxy/listener-t.h
>>>> Hunk #1 FAILED at 163.
>>>> 1 out of 1 hunk FAILED -- saving rejects to file
>>>> include/haproxy/listener-t.h.rej
>>>> patching file src/cfgparse-ssl.c
>>>> Hunk #1 succeeded at 538 with fuzz 1.
>>>> Hunk #2 FAILED at 1720.
>>>> 1 out of 2 hunks FAILED -- saving rejects to file src/cfgparse-ssl.c.rej
>>>> patching file src/ssl_sock.c
>>>> Hunk #1 FAILED at 1750.
>>>> Hunk #2 FAILED at 1864.
>>>> Hunk #3 FAILED at 1912.
>>>> Hunk #4 FAILED at 1943.
>>>> Hunk #5 FAILED at 1970.
>>>> Hunk #6 FAILED at 4823.
>>>> Hunk #7 FAILED at 4843.
>>>> 7 out of 7 hunks FAILED -- saving rejects to file src/ssl_sock.c.rej
>>>>
>>>> вс, 5 июл. 2020 г. в 11:46, <gers...@gmail.com>:
>>>>
>>>>> From: Shimi Gersner <sgers...@microsoft.com>
>>>>>
>>>>> haproxy supports generating SSL certificates based on SNI using a
>>>>> provided
>>>>> CA signing certificate. Because CA certificates may be signed by
>>>>> multiple
>>>>> CAs, in some scenarios, it is neccesary for the server to attach the
>>>>> trust chain
>>>>> in addition to the generated certificate.
>>>>>
>>>>> The following patch adds the ability to optionally serve all public
>>>>> certificates provided in the `ca-sign-file` PEM file.
>>>>> Certificate loading was ported to use `ca_sign_use_chain` structure,
>>>>> instead of directly reading public/private keys.
>>>>> ---
>>>>>  doc/configuration.txt        |  8 +++
>>>>>  include/haproxy/listener-t.h |  4 +-
>>>>>  src/cfgparse-ssl.c           | 13 +++++
>>>>>  src/ssl_sock.c               | 98 ++++++++++++++++++++----------------
>>>>>  4 files changed, 78 insertions(+), 45 deletions(-)
>>>>>
>>>>> diff --git a/doc/configuration.txt b/doc/configuration.txt
>>>>> index 6d472134e..1d3878bc1 100644
>>>>> --- a/doc/configuration.txt
>>>>> +++ b/doc/configuration.txt
>>>>> @@ -12158,6 +12158,14 @@ ca-sign-pass <passphrase>
>>>>>    the dynamic generation of certificates is enabled. See
>>>>>    'generate-certificates' for details.
>>>>>
>>>>> +ca-sign-use-chain
>>>>> +  This setting is only available when support for OpenSSL was built
>>>>> in. It is
>>>>> +  the CA private key passphrase. This setting is optional and used
>>>>> only when
>>>>> +  the dynamic generation of certificates is enabled. See
>>>>> +  'generate-certificates' for details.
>>>>> +  Enabling this flag will attach all public certificates encoded in
>>>>> `ca-sign-file`
>>>>> +  to the served certificate to the client, enabling trust.
>>>>> +
>>>>>  ca-verify-file <cafile>
>>>>>    This setting designates a PEM file from which to load CA
>>>>> certificates used to
>>>>>    verify client's certificate. It designates CA certificates which
>>>>> must not be
>>>>> diff --git a/include/haproxy/listener-t.h
>>>>> b/include/haproxy/listener-t.h
>>>>> index 224e32513..38ca2839f 100644
>>>>> --- a/include/haproxy/listener-t.h
>>>>> +++ b/include/haproxy/listener-t.h
>>>>> @@ -163,8 +163,8 @@ struct bind_conf {
>>>>>         char *ca_sign_file;        /* CAFile used to generate and sign
>>>>> server certificates */
>>>>>         char *ca_sign_pass;        /* CAKey passphrase */
>>>>>
>>>>> -       X509     *ca_sign_cert;    /* CA certificate referenced by
>>>>> ca_file */
>>>>> -       EVP_PKEY *ca_sign_pkey;    /* CA private key referenced by
>>>>> ca_key */
>>>>> +       int ca_sign_use_chain;     /* Optionally attached the
>>>>> certificate chain to the served certificate */
>>>>> +       struct cert_key_and_chain * ca_sign_ckch;       /* CA and
>>>>> possible certificate chain for ca generation */
>>>>>  #endif
>>>>>         struct proxy *frontend;    /* the frontend all these listeners
>>>>> belong to, or NULL */
>>>>>         const struct mux_proto_list *mux_proto; /* the mux to use for
>>>>> all incoming connections (specified by the "proto" keyword) */
>>>>> diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
>>>>> index 144cef882..270c857f9 100644
>>>>> --- a/src/cfgparse-ssl.c
>>>>> +++ b/src/cfgparse-ssl.c
>>>>> @@ -538,6 +538,18 @@ static int bind_parse_ca_sign_file(char **args,
>>>>> int cur_arg, struct proxy *px, s
>>>>>         return 0;
>>>>>  }
>>>>>
>>>>> +/* parse the "ca-sign-use-chain" bind keyword */
>>>>> +static int bind_parse_ca_sign_use_chain(char **args, int cur_arg,
>>>>> struct proxy *px, struct bind_conf *conf, char **err)
>>>>> +{
>>>>> +#if (defined SSL_CTRL_SET_TLSEXT_HOSTNAME && !defined
>>>>> SSL_NO_GENERATE_CERTIFICATES && defined SSL_CTX_set1_chain)
>>>>> +       conf->ca_sign_use_chain = 1;
>>>>> +#else
>>>>> +       memprintf(err, "%sthis version of openssl cannot attach
>>>>> certificate chain for SSL certificate generation.\n",
>>>>> +                 err && *err ? *err : "");
>>>>> +#endif
>>>>> +       return 0;
>>>>> +}
>>>>> +
>>>>>  /* parse the "ca-sign-pass" bind keyword */
>>>>>  static int bind_parse_ca_sign_pass(char **args, int cur_arg, struct
>>>>> proxy *px, struct bind_conf *conf, char **err)
>>>>>  {
>>>>> @@ -1708,6 +1720,7 @@ static struct bind_kw_list bind_kws = { "SSL", {
>>>>> }, {
>>>>>         { "ca-ignore-err",         bind_parse_ignore_err,         1 },
>>>>> /* set error IDs to ignore on verify depth > 0 */
>>>>>         { "ca-sign-file",          bind_parse_ca_sign_file,       1 },
>>>>> /* set CAFile used to generate and sign server certs */
>>>>>         { "ca-sign-pass",          bind_parse_ca_sign_pass,       1 },
>>>>> /* set CAKey passphrase */
>>>>> +       { "ca-sign-use-chain",     bind_parse_ca_sign_use_chain,  1 },
>>>>> /* enable attaching ca chain to generated certificate */
>>>>>         { "ciphers",               bind_parse_ciphers,            1 },
>>>>> /* set SSL cipher suite */
>>>>>  #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
>>>>>         { "ciphersuites",          bind_parse_ciphersuites,       1 },
>>>>> /* set TLS 1.3 cipher suite */
>>>>> diff --git a/src/ssl_sock.c b/src/ssl_sock.c
>>>>> index a32db1a28..54829eb98 100644
>>>>> --- a/src/ssl_sock.c
>>>>> +++ b/src/ssl_sock.c
>>>>> @@ -1750,8 +1750,8 @@ static int ssl_sock_advertise_alpn_protos(SSL
>>>>> *s, const unsigned char **out,
>>>>>  static SSL_CTX *
>>>>>  ssl_sock_do_create_cert(const char *servername, struct bind_conf
>>>>> *bind_conf, SSL *ssl)
>>>>>  {
>>>>> -       X509         *cacert  = bind_conf->ca_sign_cert;
>>>>> -       EVP_PKEY     *capkey  = bind_conf->ca_sign_pkey;
>>>>> +       X509         *cacert  = bind_conf->ca_sign_ckch->cert;
>>>>> +       EVP_PKEY     *capkey  = bind_conf->ca_sign_ckch->key;
>>>>>         SSL_CTX      *ssl_ctx = NULL;
>>>>>         X509         *newcrt  = NULL;
>>>>>         EVP_PKEY     *pkey    = NULL;
>>>>> @@ -1864,6 +1864,16 @@ ssl_sock_do_create_cert(const char *servername,
>>>>> struct bind_conf *bind_conf, SSL
>>>>>         if (!SSL_CTX_check_private_key(ssl_ctx))
>>>>>                 goto mkcert_error;
>>>>>
>>>>> +       /* Assign chain if any */
>>>>> +       if (bind_conf->ca_sign_use_chain &&
>>>>> bind_conf->ca_sign_ckch->chain) {
>>>>> +               if (!SSL_CTX_set1_chain(ssl_ctx,
>>>>> bind_conf->ca_sign_ckch->chain)) {
>>>>> +                       goto mkcert_error;
>>>>> +               }
>>>>> +               if (!SSL_CTX_add1_chain_cert(ssl_ctx,
>>>>> bind_conf->ca_sign_ckch->cert)) {
>>>>> +                       goto mkcert_error;
>>>>> +               }
>>>>> +       }
>>>>> +
>>>>>         if (newcrt) X509_free(newcrt);
>>>>>
>>>>>  #ifndef OPENSSL_NO_DH
>>>>> @@ -1912,7 +1922,7 @@ ssl_sock_assign_generated_cert(unsigned int key,
>>>>> struct bind_conf *bind_conf, SS
>>>>>
>>>>>         if (ssl_ctx_lru_tree) {
>>>>>                 HA_RWLOCK_WRLOCK(SSL_GEN_CERTS_LOCK,
>>>>> &ssl_ctx_lru_rwlock);
>>>>> -               lru = lru64_lookup(key, ssl_ctx_lru_tree,
>>>>> bind_conf->ca_sign_cert, 0);
>>>>> +               lru = lru64_lookup(key, ssl_ctx_lru_tree,
>>>>> bind_conf->ca_sign_ckch->cert, 0);
>>>>>                 if (lru && lru->domain) {
>>>>>                         if (ssl)
>>>>>                                 SSL_set_SSL_CTX(ssl, (SSL_CTX
>>>>> *)lru->data);
>>>>> @@ -1943,14 +1953,14 @@ ssl_sock_set_generated_cert(SSL_CTX *ssl_ctx,
>>>>> unsigned int key, struct bind_conf
>>>>>
>>>>>         if (ssl_ctx_lru_tree) {
>>>>>                 HA_RWLOCK_WRLOCK(SSL_GEN_CERTS_LOCK,
>>>>> &ssl_ctx_lru_rwlock);
>>>>> -               lru = lru64_get(key, ssl_ctx_lru_tree,
>>>>> bind_conf->ca_sign_cert, 0);
>>>>> +               lru = lru64_get(key, ssl_ctx_lru_tree,
>>>>> bind_conf->ca_sign_ckch->cert, 0);
>>>>>                 if (!lru) {
>>>>>                         HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK,
>>>>> &ssl_ctx_lru_rwlock);
>>>>>                         return -1;
>>>>>                 }
>>>>>                 if (lru->domain && lru->data)
>>>>>                         lru->free((SSL_CTX *)lru->data);
>>>>> -               lru64_commit(lru, ssl_ctx, bind_conf->ca_sign_cert, 0,
>>>>> (void (*)(void *))SSL_CTX_free);
>>>>> +               lru64_commit(lru, ssl_ctx,
>>>>> bind_conf->ca_sign_ckch->cert, 0, (void (*)(void *))SSL_CTX_free);
>>>>>                 HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK,
>>>>> &ssl_ctx_lru_rwlock);
>>>>>                 return 0;
>>>>>         }
>>>>> @@ -1970,7 +1980,7 @@ ssl_sock_generated_cert_key(const void *data,
>>>>> size_t len)
>>>>>  static int
>>>>>  ssl_sock_generate_certificate(const char *servername, struct
>>>>> bind_conf *bind_conf, SSL *ssl)
>>>>>  {
>>>>> -       X509         *cacert  = bind_conf->ca_sign_cert;
>>>>> +       X509         *cacert  = bind_conf->ca_sign_ckch->cert;
>>>>>         SSL_CTX      *ssl_ctx = NULL;
>>>>>         struct lru64 *lru     = NULL;
>>>>>         unsigned int  key;
>>>>> @@ -4823,13 +4833,12 @@ int
>>>>>  ssl_sock_load_ca(struct bind_conf *bind_conf)
>>>>>  {
>>>>>         struct proxy *px = bind_conf->frontend;
>>>>> -       FILE     *fp;
>>>>> -       X509     *cacert = NULL;
>>>>> -       EVP_PKEY *capkey = NULL;
>>>>> -       int       err    = 0;
>>>>> +       struct cert_key_and_chain *ckch = NULL;
>>>>> +       int ret = 0;
>>>>> +       char *err = NULL;
>>>>>
>>>>>         if (!bind_conf->generate_certs)
>>>>> -               return err;
>>>>> +               return ret;
>>>>>
>>>>>  #if (defined SSL_CTRL_SET_TLSEXT_HOSTNAME && !defined
>>>>> SSL_NO_GENERATE_CERTIFICATES)
>>>>>         if (global_ssl.ctx_cache) {
>>>>> @@ -4843,52 +4852,55 @@ ssl_sock_load_ca(struct bind_conf *bind_conf)
>>>>>                 ha_alert("Proxy '%s': cannot enable certificate
>>>>> generation, "
>>>>>                          "no CA certificate File configured at
>>>>> [%s:%d].\n",
>>>>>                          px->id, bind_conf->file, bind_conf->line);
>>>>> -               goto load_error;
>>>>> +               goto failed;
>>>>>         }
>>>>>
>>>>> -       /* read in the CA certificate */
>>>>> -       if (!(fp = fopen(bind_conf->ca_sign_file, "r"))) {
>>>>> -               ha_alert("Proxy '%s': Failed to read CA certificate
>>>>> file '%s' at [%s:%d].\n",
>>>>> -                        px->id, bind_conf->ca_sign_file,
>>>>> bind_conf->file, bind_conf->line);
>>>>> -               goto load_error;
>>>>> +       /* Allocate cert structure */
>>>>> +       ckch = calloc(1, sizeof(struct cert_key_and_chain));
>>>>> +       if (!ckch) {
>>>>> +               ha_alert("Proxy '%s': Failed to read CA certificate
>>>>> file '%s' at [%s:%d]. Chain allocation failure\n",
>>>>> +                       px->id, bind_conf->ca_sign_file,
>>>>> bind_conf->file, bind_conf->line);
>>>>>         }
>>>>> -       if (!(cacert = PEM_read_X509(fp, NULL, NULL, NULL))) {
>>>>> -               ha_alert("Proxy '%s': Failed to read CA certificate
>>>>> file '%s' at [%s:%d].\n",
>>>>> -                        px->id, bind_conf->ca_sign_file,
>>>>> bind_conf->file, bind_conf->line);
>>>>> -               goto read_error;
>>>>> +
>>>>> +       /* Try to parse file */
>>>>> +       if (ssl_sock_load_files_into_ckch(bind_conf->ca_sign_file,
>>>>> ckch, &err)) {
>>>>> +               ha_alert("Proxy '%s': Failed to read CA certificate
>>>>> file '%s' at [%s:%d]. Chain loading failed: %s\n",
>>>>> +                       px->id, bind_conf->ca_sign_file,
>>>>> bind_conf->file, bind_conf->line, err);
>>>>> +               if (err) free(err);
>>>>> +               goto failed;
>>>>>         }
>>>>> -       rewind(fp);
>>>>> -       if (!(capkey = PEM_read_PrivateKey(fp, NULL, NULL,
>>>>> bind_conf->ca_sign_pass))) {
>>>>> -               ha_alert("Proxy '%s': Failed to read CA private key
>>>>> file '%s' at [%s:%d].\n",
>>>>> -                        px->id, bind_conf->ca_sign_file,
>>>>> bind_conf->file, bind_conf->line);
>>>>> -               goto read_error;
>>>>> +
>>>>> +       /* Fail if missing cert or pkey */
>>>>> +       if ((!ckch->cert) || (!ckch->key)) {
>>>>> +               ha_alert("Proxy '%s': Failed to read CA certificate
>>>>> file '%s' at [%s:%d]. Chain missing certificate or private key\n",
>>>>> +                       px->id, bind_conf->ca_sign_file,
>>>>> bind_conf->file, bind_conf->line);
>>>>> +               goto failed;
>>>>>         }
>>>>>
>>>>> -       fclose (fp);
>>>>> -       bind_conf->ca_sign_cert = cacert;
>>>>> -       bind_conf->ca_sign_pkey = capkey;
>>>>> -       return err;
>>>>> +       /* Final assignment to bind */
>>>>> +       bind_conf->ca_sign_ckch = ckch;
>>>>> +       return ret;
>>>>> +
>>>>> + failed:
>>>>> +       if (ckch) {
>>>>> +               ssl_sock_free_cert_key_and_chain_contents(ckch);
>>>>> +               free(ckch);
>>>>> +       }
>>>>>
>>>>> - read_error:
>>>>> -       fclose (fp);
>>>>> -       if (capkey) EVP_PKEY_free(capkey);
>>>>> -       if (cacert) X509_free(cacert);
>>>>> - load_error:
>>>>>         bind_conf->generate_certs = 0;
>>>>> -       err++;
>>>>> -       return err;
>>>>> +       ret++;
>>>>> +       return ret;
>>>>>  }
>>>>>
>>>>>  /* Release CA cert and private key used to generate certificated */
>>>>>  void
>>>>>  ssl_sock_free_ca(struct bind_conf *bind_conf)
>>>>>  {
>>>>> -       if (bind_conf->ca_sign_pkey)
>>>>> -               EVP_PKEY_free(bind_conf->ca_sign_pkey);
>>>>> -       if (bind_conf->ca_sign_cert)
>>>>> -               X509_free(bind_conf->ca_sign_cert);
>>>>> -       bind_conf->ca_sign_pkey = NULL;
>>>>> -       bind_conf->ca_sign_cert = NULL;
>>>>> +       if (bind_conf->ca_sign_ckch) {
>>>>> +
>>>>>  ssl_sock_free_cert_key_and_chain_contents(bind_conf->ca_sign_ckch);
>>>>> +               free(bind_conf->ca_sign_ckch);
>>>>> +               bind_conf->ca_sign_ckch = NULL;
>>>>> +       }
>>>>>  }
>>>>>
>>>>>  /*
>>>>> --
>>>>> 2.27.0
>>>>>
>>>>>
>>>>>

Reply via email to