[
https://issues.apache.org/jira/browse/TS-4320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15237279#comment-15237279
]
ASF GitHub Bot commented on TS-4320:
------------------------------------
Github user jpeach commented on a diff in the pull request:
https://github.com/apache/trafficserver/pull/560#discussion_r59386613
--- Diff: plugins/experimental/acme/acme.c ---
@@ -0,0 +1,347 @@
+/** @file
+
+@section license
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <string.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <getopt.h>
+#include <sys/stat.h>
+
+#include "ts/ts.h"
+#include "ts/ink_platform.h"
+#include "ts/ink_defs.h"
+
+static const char PLUGIN_NAME[] = "acme";
+static const char ACME_WK_PATH[] = ".well-known/acme-challenge/";
+static const char ACME_OK_RESP[] = "HTTP/1.1 200 OK\r\nContent-Type:
application/jose\r\nCache-Control: no-cache\r\n";
+static const char ACME_DENIED_RESP[] = "HTTP/1.1 404 Not
Found\r\nContent-Type: application/jose\r\nCache-Control: no-cache\r\n";
+
+#define MAX_PATH_LEN 4096
+
+/* This should hold all configurations going forward. */
+typedef struct AcmeConfig_t {
+ char *proof;
+} AcmeConfig;
+AcmeConfig gConfig;
+
+/* State used for the intercept plugin. ToDo: Can this be improved ? */
+typedef struct AcmeState_t {
+ TSVConn net_vc;
+ TSVIO read_vio;
+ TSVIO write_vio;
+
+ TSIOBuffer req_buffer;
+ TSIOBuffer resp_buffer;
+ TSIOBufferReader resp_reader;
+
+ int output_bytes;
+ int fd;
+ struct stat stat_buf;
+} AcmeState;
+
+
+inline static AcmeState *
+make_acme_state()
+{
+ AcmeState *state = (AcmeState *)TSmalloc(sizeof(AcmeState));
+
+ memset(state, 0, sizeof(AcmeState));
+ state->fd = -1;
+
+ return state;
+}
+
+/* Create a safe pathname to the proof-type file, the destination must be
sufficiently large. */
+static int
+make_absolute_path(char *dest, int dest_len, const char *file, int
file_len)
+{
+ int i;
+
+ for (i = 0; i < file_len; ++i) {
+ char c = file[i];
+
+ /* Assure that only Base64-URL chracter are in the path */
+ if (!(c == 45 || c == 95 || (c >= 48 && c <= 57) || (c >= 65 && c <=
90) || (c >= 97 && c <= 122))) {
+ TSDebug(PLUGIN_NAME, "Invalid Base64 character found, error");
+ return 0;
+ }
+ }
+
+ return snprintf(dest, dest_len - 1, "%s/%.*s", gConfig.proof, file_len,
file);
+}
+
+static void
+open_acme_file(AcmeState *state, const char *file, int file_len)
+{
+ char fname[MAX_PATH_LEN];
+ int len = make_absolute_path(fname, MAX_PATH_LEN - 1, file, file_len);
+
+ /* 1. Make sure the filename is reasonable */
+ if (!len || (len >= (MAX_PATH_LEN - 1))) {
+ TSDebug(PLUGIN_NAME, "invalid filename");
+ return;
+ }
+
+ /* 2. Open and stat() the file */
+ state->fd = open(fname, O_RDONLY);
+ if (-1 == state->fd) {
+ TSDebug(PLUGIN_NAME, "can not open file %s", fname);
+ return;
+ } else if (fstat(state->fd, &state->stat_buf)) {
+ TSDebug(PLUGIN_NAME, "can not stat() file %s", fname);
+ close(state->fd);
+ state->fd = -1;
+
+ return;
+ }
+
+ TSDebug(PLUGIN_NAME, "opened filename of %s for read()", fname);
+ return;
+}
+
+
+/* Cleanup after intercept has completed */
+static void
+cleanup(TSCont contp, AcmeState *my_state)
+{
+ if (my_state->req_buffer) {
+ TSIOBufferDestroy(my_state->req_buffer);
+ my_state->req_buffer = NULL;
+ }
+
+ if (my_state->resp_buffer) {
+ TSIOBufferDestroy(my_state->resp_buffer);
+ my_state->resp_buffer = NULL;
+ }
+
+ TSVConnClose(my_state->net_vc);
+ TSfree(my_state);
+ TSContDestroy(contp);
+}
+
+/* Add data to the output */
+inline static int
+add_data_to_resp(const char *buf, int len, AcmeState *my_state)
+{
+ TSIOBufferWrite(my_state->resp_buffer, buf, len);
+ return len;
+}
+
+static int
+add_file_to_resp(AcmeState *my_state)
+{
+ if (-1 == my_state->fd) {
+ return add_data_to_resp("\r\n", 2, my_state);
+ } else {
+ int ret = 0, len;
+ char buf[8192];
+
+ while (1) {
+ len = read(my_state->fd, buf, sizeof(buf));
+ if ((0 == len) || ((-1 == len) && (errno != EAGAIN) && (errno !=
EINTR))) {
+ break;
+ } else {
+ TSIOBufferWrite(my_state->resp_buffer, buf, len);
+ ret += len;
+ }
+ }
+ close(my_state->fd);
--- End diff --
```C
my_state->fd = -1;
```
> Implement a letsencrypt / ACME plugin for ATS
> ---------------------------------------------
>
> Key: TS-4320
> URL: https://issues.apache.org/jira/browse/TS-4320
> Project: Traffic Server
> Issue Type: New Feature
> Components: Plugins
> Reporter: Leif Hedstrom
> Assignee: Phil Sorber
> Fix For: 6.2.0
>
>
> We should implement the ACME protocols as part of the letsencrypt services
> for ATS. This allows easier (zero work) TLS setup when configuring an web
> server based on ATS.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
