forked from mirrors/kore
add scaffolding code for alpn challenge
This commit is contained in:
parent
4cd64cd06d
commit
21696a0f2e
|
@ -37,9 +37,18 @@ extern "C" {
|
|||
#define KORE_ACME_ACCOUNT_RESOLVE (KORE_MSG_ACME_BASE + 11)
|
||||
#define KORE_ACME_ORDER_CREATE (KORE_MSG_ACME_BASE + 12)
|
||||
|
||||
#define KORE_ACME_CHALLENGE_SET_CERT (KORE_MSG_ACME_BASE + 20)
|
||||
#define KORE_ACME_CHALLENGE_CLEAR_CERT (KORE_MSG_ACME_BASE + 21)
|
||||
|
||||
void kore_acme_run(void);
|
||||
void kore_acme_setup(void);
|
||||
|
||||
int kore_acme_tls_challenge_selected(SSL *, struct kore_domain *);
|
||||
void kore_acme_tls_challenge_use_cert(SSL *, struct kore_domain *);
|
||||
|
||||
int kore_acme_tls_alpn(SSL *, const unsigned char **, unsigned char *,
|
||||
const unsigned char *, unsigned int, void *);
|
||||
|
||||
extern char *acme_provider;
|
||||
|
||||
#if defined(__cplusplus)
|
||||
|
|
|
@ -296,6 +296,9 @@ struct kore_domain {
|
|||
|
||||
#if defined(KORE_USE_ACME)
|
||||
int acme;
|
||||
int acme_challenge;
|
||||
void *acme_cert;
|
||||
size_t acme_cert_len;
|
||||
#endif
|
||||
char *cafile;
|
||||
char *crlfile;
|
||||
|
|
71
src/acme.c
71
src/acme.c
|
@ -176,6 +176,9 @@ static char *revoke_url = NULL;
|
|||
static const char *account_id = NULL;
|
||||
static char *account_url = NULL;
|
||||
|
||||
static u_int8_t acme_alpn_name[] =
|
||||
{ 0xa, 'a', 'c', 'm', 'e', '-', 't', 'l', 's', '/', '1' };
|
||||
|
||||
char *acme_provider = NULL;
|
||||
char *acme_root_path = NULL;
|
||||
char *acme_runas_user = NULL;
|
||||
|
@ -217,7 +220,7 @@ kore_acme_run(void)
|
|||
kore_worker_privdrop(acme_runas_user, acme_root_path);
|
||||
|
||||
#if defined(__OpenBSD__)
|
||||
if (pledge("stdio rpath", NULL) == -1)
|
||||
if (pledge("stdio inet", NULL) == -1)
|
||||
fatal("failed to pledge acme process");
|
||||
#endif
|
||||
|
||||
|
@ -262,6 +265,72 @@ kore_acme_run(void)
|
|||
net_cleanup();
|
||||
}
|
||||
|
||||
int
|
||||
kore_acme_tls_alpn(SSL *ssl, const unsigned char **out, unsigned char *outlen,
|
||||
const unsigned char *in, unsigned int inlen, void *udata)
|
||||
{
|
||||
struct kore_domain *dom = udata;
|
||||
|
||||
if (dom->acme == 0)
|
||||
return (SSL_TLSEXT_ERR_NOACK);
|
||||
|
||||
if (dom->acme_challenge == 0)
|
||||
return (SSL_TLSEXT_ERR_NOACK);
|
||||
|
||||
if (inlen != sizeof(acme_alpn_name))
|
||||
return (SSL_TLSEXT_ERR_NOACK);
|
||||
|
||||
if (memcmp(acme_alpn_name, in, sizeof(acme_alpn_name)))
|
||||
return (SSL_TLSEXT_ERR_NOACK);
|
||||
|
||||
*out = in;
|
||||
*outlen = inlen;
|
||||
|
||||
printf("tls-alpn-01 selected\n");
|
||||
|
||||
return (SSL_TLSEXT_ERR_OK);
|
||||
}
|
||||
|
||||
int
|
||||
kore_acme_tls_challenge_selected(SSL *ssl, struct kore_domain *dom)
|
||||
{
|
||||
unsigned int len;
|
||||
const u_int8_t *data;
|
||||
|
||||
if (dom->acme == 0)
|
||||
return (KORE_RESULT_ERROR);
|
||||
|
||||
if (dom->acme_challenge == 0)
|
||||
return (KORE_RESULT_ERROR);
|
||||
|
||||
SSL_get0_alpn_selected(ssl, &data, &len);
|
||||
|
||||
if (data == NULL || len != sizeof(acme_alpn_name))
|
||||
return (KORE_RESULT_ERROR);
|
||||
|
||||
if (memcmp(acme_alpn_name, data, sizeof(acme_alpn_name)))
|
||||
return (KORE_RESULT_ERROR);
|
||||
|
||||
return (KORE_RESULT_OK);
|
||||
}
|
||||
|
||||
void
|
||||
kore_acme_tls_challenge_use_cert(SSL *ssl, struct kore_domain *dom)
|
||||
{
|
||||
const unsigned char *ptr;
|
||||
X509 *x509;
|
||||
|
||||
ptr = dom->acme_cert;
|
||||
if ((x509 = d2i_X509(NULL, &ptr, dom->acme_cert_len)) == NULL)
|
||||
fatal("d2i_X509: %s", ssl_errno_s);
|
||||
|
||||
if (SSL_use_certificate(ssl, x509) == 0)
|
||||
fatal("SSL_use_certificate: %s", ssl_errno_s);
|
||||
|
||||
SSL_clear_chain_certs(ssl);
|
||||
SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
acme_parse_directory(void)
|
||||
{
|
||||
|
|
|
@ -38,6 +38,10 @@
|
|||
#include "http.h"
|
||||
#endif
|
||||
|
||||
#if defined(KORE_USE_ACME)
|
||||
#include "acme.h"
|
||||
#endif
|
||||
|
||||
#define KORE_DOMAIN_CACHE 16
|
||||
#define SSL_SESSION_ID "kore_ssl_sessionid"
|
||||
|
||||
|
@ -415,6 +419,10 @@ kore_domain_tlsinit(struct kore_domain *dom, const void *pem, size_t pemlen)
|
|||
SSL_CTX_set_info_callback(dom->ssl_ctx, kore_tls_info_callback);
|
||||
SSL_CTX_set_tlsext_servername_callback(dom->ssl_ctx, kore_tls_sni_cb);
|
||||
|
||||
#if defined(KORE_USE_ACME)
|
||||
SSL_CTX_set_alpn_select_cb(dom->ssl_ctx, kore_acme_tls_alpn, dom);
|
||||
#endif
|
||||
|
||||
X509_free(x509);
|
||||
}
|
||||
|
||||
|
|
10
src/kore.c
10
src/kore.c
|
@ -45,6 +45,10 @@
|
|||
#include "python_api.h"
|
||||
#endif
|
||||
|
||||
#if defined(KORE_USE_ACME)
|
||||
#include "acme.h"
|
||||
#endif
|
||||
|
||||
volatile sig_atomic_t sig_recv;
|
||||
struct kore_server_list kore_servers;
|
||||
u_int8_t nlisteners;
|
||||
|
@ -362,6 +366,12 @@ kore_tls_sni_cb(SSL *ssl, int *ad, void *arg)
|
|||
kore_debug("kore_ssl_sni_cb(): Using %s CTX", sname);
|
||||
SSL_set_SSL_CTX(ssl, dom->ssl_ctx);
|
||||
|
||||
#if defined(KORE_USE_ACME)
|
||||
if (kore_acme_tls_challenge_selected(ssl, dom)) {
|
||||
kore_acme_tls_challenge_use_cert(ssl, dom);
|
||||
return (SSL_TLSEXT_ERR_OK);
|
||||
}
|
||||
#endif
|
||||
if (dom->cafile != NULL) {
|
||||
SSL_set_verify(ssl, SSL_VERIFY_PEER |
|
||||
SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
|
||||
|
|
|
@ -775,6 +775,15 @@ worker_keymgr_response(struct kore_msg *msg, const void *data)
|
|||
case KORE_MSG_CRL:
|
||||
kore_domain_crl_add(dom, req->data, req->data_len);
|
||||
break;
|
||||
#if defined(KORE_USE_ACME)
|
||||
case KORE_ACME_CHALLENGE_SET_CERT:
|
||||
break;
|
||||
case KORE_ACME_CHALLENGE_CLEAR_CERT:
|
||||
dom->acme_cert_len = 0;
|
||||
dom->acme_challenge = 0;
|
||||
kore_free(dom->acme_cert);
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
kore_log(LOG_WARNING, "unknown keymgr request %u", msg->id);
|
||||
break;
|
||||
|
|
Loading…
Reference in New Issue