mirror of
https://github.com/processone/ejabberd.git
synced 2024-12-02 16:37:52 +01:00
374 lines
11 KiB
Erlang
374 lines
11 KiB
Erlang
%%%-------------------------------------------------------------------
|
|
%%% @author Evgeny Khramtsov <ekhramtsov@process-one.net>
|
|
%%% Created : 4 Mar 2017 by Evgeny Khramtsov <ekhramtsov@process-one.net>
|
|
%%%
|
|
%%%
|
|
%%% ejabberd, Copyright (C) 2002-2019 ProcessOne
|
|
%%%
|
|
%%% This program is free software; you can redistribute it and/or
|
|
%%% modify it under the terms of the GNU General Public License as
|
|
%%% published by the Free Software Foundation; either version 2 of the
|
|
%%% License, or (at your option) any later version.
|
|
%%%
|
|
%%% This program is distributed in the hope that it will be useful,
|
|
%%% but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
%%% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
%%% General Public License for more details.
|
|
%%%
|
|
%%% You should have received a copy of the GNU General Public License along
|
|
%%% with this program; if not, write to the Free Software Foundation, Inc.,
|
|
%%% 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
%%%
|
|
%%%-------------------------------------------------------------------
|
|
-module(ejabberd_pkix).
|
|
-behaviour(gen_server).
|
|
|
|
%% API
|
|
-export([start_link/0]).
|
|
-export([certs_dir/0]).
|
|
-export([add_certfile/1, try_certfile/1, get_certfile/0, get_certfile/1]).
|
|
%% Hooks
|
|
-export([ejabberd_started/0, config_reloaded/0]).
|
|
%% gen_server callbacks
|
|
-export([init/1, handle_call/3, handle_cast/2, handle_info/2,
|
|
terminate/2, code_change/3, format_status/2]).
|
|
|
|
-include("logger.hrl").
|
|
-define(CALL_TIMEOUT, timer:minutes(1)).
|
|
|
|
-record(state, {files = sets:new() :: sets:set(filename())}).
|
|
|
|
-type state() :: #state{}.
|
|
-type filename() :: binary().
|
|
|
|
%%%===================================================================
|
|
%%% API
|
|
%%%===================================================================
|
|
-spec start_link() -> {ok, pid()} | {error, {already_started, pid()} | term()}.
|
|
start_link() ->
|
|
gen_server:start_link({local, ?MODULE}, ?MODULE, [], []).
|
|
|
|
-spec add_certfile(file:filename_all()) -> {ok, filename()} | {error, pkix:error_reason()}.
|
|
add_certfile(Path0) ->
|
|
Path = prep_path(Path0),
|
|
try gen_server:call(?MODULE, {add_certfile, Path}, ?CALL_TIMEOUT)
|
|
catch exit:{noproc, _} ->
|
|
case add_file(Path) of
|
|
ok -> {ok, Path};
|
|
Err -> Err
|
|
end
|
|
end.
|
|
|
|
-spec try_certfile(file:filename_all()) -> filename().
|
|
try_certfile(Path0) ->
|
|
Path = prep_path(Path0),
|
|
case pkix:is_pem_file(Path) of
|
|
true -> Path;
|
|
{false, Reason} ->
|
|
?ERROR_MSG("Failed to read PEM file ~s: ~s",
|
|
[Path, pkix:format_error(Reason)]),
|
|
erlang:error(badarg)
|
|
end.
|
|
|
|
-spec get_certfile(binary()) -> {ok, filename()} | error.
|
|
get_certfile(Domain) ->
|
|
case get_certfile_no_default(Domain) of
|
|
{ok, Path} ->
|
|
{ok, Path};
|
|
error ->
|
|
get_certfile()
|
|
end.
|
|
|
|
-spec get_certfile_no_default(binary()) -> {ok, filename()} | error.
|
|
get_certfile_no_default(Domain) ->
|
|
case xmpp_idna:domain_utf8_to_ascii(Domain) of
|
|
false ->
|
|
error;
|
|
ASCIIDomain ->
|
|
case pkix:get_certfile(ASCIIDomain) of
|
|
error -> error;
|
|
Ret -> {ok, select_certfile(Ret)}
|
|
end
|
|
end.
|
|
|
|
-spec get_certfile() -> {ok, filename()} | error.
|
|
get_certfile() ->
|
|
case pkix:get_certfile() of
|
|
error -> error;
|
|
Ret -> {ok, select_certfile(Ret)}
|
|
end.
|
|
|
|
-spec certs_dir() -> file:filename_all().
|
|
certs_dir() ->
|
|
MnesiaDir = mnesia:system_info(directory),
|
|
filename:join(MnesiaDir, "certs").
|
|
|
|
-spec ejabberd_started() -> ok.
|
|
ejabberd_started() ->
|
|
gen_server:call(?MODULE, ejabberd_started, ?CALL_TIMEOUT).
|
|
|
|
-spec config_reloaded() -> ok.
|
|
config_reloaded() ->
|
|
gen_server:call(?MODULE, config_reloaded, ?CALL_TIMEOUT).
|
|
|
|
%%%===================================================================
|
|
%%% gen_server callbacks
|
|
%%%===================================================================
|
|
-spec init([]) -> {ok, state()}.
|
|
init([]) ->
|
|
process_flag(trap_exit, true),
|
|
ejabberd_hooks:add(config_reloaded, ?MODULE, config_reloaded, 100),
|
|
ejabberd_hooks:add(ejabberd_started, ?MODULE, ejabberd_started, 30),
|
|
case add_files() of
|
|
{Files, []} ->
|
|
{ok, #state{files = Files}};
|
|
{Files, [_|_]} ->
|
|
case ejabberd:is_loaded() of
|
|
true ->
|
|
{ok, #state{files = Files}};
|
|
false ->
|
|
del_files(Files),
|
|
stop_ejabberd()
|
|
end
|
|
end.
|
|
|
|
-spec handle_call(term(), {pid(), term()}, state()) ->
|
|
{reply, ok, state()} | {noreply, state()}.
|
|
handle_call({add_certfile, Path}, _From, State) ->
|
|
case add_file(Path) of
|
|
ok ->
|
|
Files = sets:add_element(Path, State#state.files),
|
|
{reply, {ok, Path}, State#state{files = Files}};
|
|
{error, _} = Err ->
|
|
{reply, Err, State}
|
|
end;
|
|
handle_call(ejabberd_started, _From, State) ->
|
|
case commit() of
|
|
{ok, []} ->
|
|
check_domain_certfiles(),
|
|
{reply, ok, State};
|
|
_ ->
|
|
stop_ejabberd()
|
|
end;
|
|
handle_call(config_reloaded, _From, State) ->
|
|
Old = State#state.files,
|
|
New = get_certfiles_from_config_options(),
|
|
del_files(sets:subtract(Old, New)),
|
|
_ = add_files(New),
|
|
case commit() of
|
|
{ok, _} ->
|
|
check_domain_certfiles(),
|
|
{reply, ok, State#state{files = New}};
|
|
error ->
|
|
{reply, ok, State}
|
|
end;
|
|
handle_call(Request, _From, State) ->
|
|
?WARNING_MSG("Unexpected call: ~p", [Request]),
|
|
{noreply, State}.
|
|
|
|
-spec handle_cast(term(), state()) -> {noreply, state()}.
|
|
handle_cast(Request, State) ->
|
|
?WARNING_MSG("Unexpected cast: ~p", [Request]),
|
|
{noreply, State}.
|
|
|
|
-spec handle_info(term(), state()) -> {noreply, state()}.
|
|
handle_info(Info, State) ->
|
|
?WARNING_MSG("Unexpected info: ~p", [Info]),
|
|
{noreply, State}.
|
|
|
|
-spec terminate(normal | shutdown | {shutdown, term()} | term(),
|
|
state()) -> any().
|
|
terminate(_Reason, State) ->
|
|
ejabberd_hooks:delete(ejabberd_started, ?MODULE, ejabberd_started, 30),
|
|
ejabberd_hooks:delete(config_reloaded, ?MODULE, config_reloaded, 100),
|
|
del_files(State#state.files).
|
|
|
|
-spec code_change(term() | {down, term()}, state(), term()) -> {ok, state()}.
|
|
code_change(_OldVsn, State, _Extra) ->
|
|
{ok, State}.
|
|
|
|
-spec format_status(normal | terminate, list()) -> term().
|
|
format_status(_Opt, Status) ->
|
|
Status.
|
|
|
|
%%%===================================================================
|
|
%%% Internal functions
|
|
%%%===================================================================
|
|
-spec add_files() -> {sets:set(filename()), [{filename(), pkix:error_reason()}]}.
|
|
add_files() ->
|
|
Files = get_certfiles_from_config_options(),
|
|
add_files(sets:to_list(Files), sets:new(), []).
|
|
|
|
-spec add_files(sets:set(filename())) ->
|
|
{sets:set(filename()), [{filename(), pkix:error_reason()}]}.
|
|
add_files(Files) ->
|
|
add_files(sets:to_list(Files), sets:new(), []).
|
|
|
|
-spec add_files([filename()], sets:set(filename()),
|
|
[{filename(), pkix:error_reason()}]) ->
|
|
{sets:set(filename()), [{filename(), pkix:error_reason()}]}.
|
|
add_files([File|Files], Set, Errs) ->
|
|
case add_file(File) of
|
|
ok ->
|
|
Set1 = sets:add_element(File, Set),
|
|
add_files(Files, Set1, Errs);
|
|
{error, Reason} ->
|
|
Errs1 = [{File, Reason}|Errs],
|
|
add_files(Files, Set, Errs1)
|
|
end;
|
|
add_files([], Set, Errs) ->
|
|
{Set, Errs}.
|
|
|
|
-spec add_file(filename()) -> ok | {error, pkix:error_reason()}.
|
|
add_file(File) ->
|
|
case pkix:add_file(File) of
|
|
ok -> ok;
|
|
{error, Reason} = Err ->
|
|
?ERROR_MSG("Failed to read PEM file ~s: ~s",
|
|
[File, pkix:format_error(Reason)]),
|
|
Err
|
|
end.
|
|
|
|
-spec del_files(sets:set(filename())) -> ok.
|
|
del_files(Files) ->
|
|
lists:foreach(fun pkix:del_file/1, sets:to_list(Files)).
|
|
|
|
-spec commit() -> {ok, [{filename(), pkix:error_reason()}]} | error.
|
|
commit() ->
|
|
CAFile = ejabberd_option:ca_file(),
|
|
?DEBUG("Using CA root certificates from: ~s", [CAFile]),
|
|
Opts = [{cafile, CAFile}],
|
|
case pkix:commit(certs_dir(), Opts) of
|
|
{ok, Errors, Warnings, CAError} ->
|
|
log_errors(Errors),
|
|
log_cafile_error(CAError),
|
|
log_warnings(Warnings),
|
|
fast_tls_add_certfiles(),
|
|
{ok, Errors};
|
|
{error, File, Reason} ->
|
|
?CRITICAL_MSG("Failed to write to ~s: ~s",
|
|
[File, file:format_error(Reason)]),
|
|
error
|
|
end.
|
|
|
|
-spec check_domain_certfiles() -> ok.
|
|
check_domain_certfiles() ->
|
|
Hosts = ejabberd_option:hosts(),
|
|
Routes = ejabberd_router:get_all_routes(),
|
|
check_domain_certfiles(Hosts ++ Routes).
|
|
|
|
-spec check_domain_certfiles([binary()]) -> ok.
|
|
check_domain_certfiles(Hosts) ->
|
|
case ejabberd_listener:tls_listeners() of
|
|
[] -> ok;
|
|
_ ->
|
|
lists:foreach(
|
|
fun(Host) ->
|
|
case get_certfile_no_default(Host) of
|
|
error ->
|
|
?WARNING_MSG(
|
|
"No certificate found matching '~s': strictly "
|
|
"configured clients or servers will reject "
|
|
"connections with this host; obtain "
|
|
"a certificate for this (sub)domain from any "
|
|
"trusted CA such as Let's Encrypt "
|
|
"(www.letsencrypt.org)",
|
|
[Host]);
|
|
_ ->
|
|
ok
|
|
end
|
|
end, Hosts)
|
|
end.
|
|
|
|
-spec get_certfiles_from_config_options() -> sets:set(filename()).
|
|
get_certfiles_from_config_options() ->
|
|
case ejabberd_option:certfiles() of
|
|
undefined ->
|
|
sets:new();
|
|
Paths ->
|
|
lists:foldl(
|
|
fun(Path, Acc) ->
|
|
Files = wildcard(Path),
|
|
lists:foldl(fun sets:add_element/2, Acc, Files)
|
|
end, sets:new(), Paths)
|
|
end.
|
|
|
|
-spec prep_path(file:filename_all()) -> filename().
|
|
prep_path(Path0) ->
|
|
case filename:pathtype(Path0) of
|
|
relative ->
|
|
case file:get_cwd() of
|
|
{ok, CWD} ->
|
|
unicode:characters_to_binary(filename:join(CWD, Path0));
|
|
{error, Reason} ->
|
|
?WARNING_MSG("Failed to get current directory name: ~s",
|
|
[file:format_error(Reason)]),
|
|
unicode:characters_to_binary(Path0)
|
|
end;
|
|
_ ->
|
|
unicode:characters_to_binary(Path0)
|
|
end.
|
|
|
|
-spec stop_ejabberd() -> no_return().
|
|
stop_ejabberd() ->
|
|
?CRITICAL_MSG("ejabberd initialization was aborted due to "
|
|
"invalid certificates configuration", []),
|
|
ejabberd:halt().
|
|
|
|
-spec wildcard(file:filename_all()) -> [filename()].
|
|
wildcard(Path) when is_binary(Path) ->
|
|
wildcard(binary_to_list(Path));
|
|
wildcard(Path) ->
|
|
case filelib:wildcard(Path) of
|
|
[] ->
|
|
?WARNING_MSG("Path ~s is empty, please make sure ejabberd has "
|
|
"sufficient rights to read it", [Path]),
|
|
[];
|
|
Files ->
|
|
[prep_path(File) || File <- Files]
|
|
end.
|
|
|
|
-spec select_certfile({filename() | undefined,
|
|
filename() | undefined,
|
|
filename() | undefined}) -> filename().
|
|
select_certfile({EC, _, _}) when EC /= undefined -> EC;
|
|
select_certfile({_, RSA, _}) when RSA /= undefined -> RSA;
|
|
select_certfile({_, _, DSA}) when DSA /= undefined -> DSA.
|
|
|
|
-spec fast_tls_add_certfiles() -> ok.
|
|
fast_tls_add_certfiles() ->
|
|
lists:foreach(
|
|
fun({Domain, Files}) ->
|
|
fast_tls:add_certfile(Domain, select_certfile(Files))
|
|
end, pkix:get_certfiles()),
|
|
fast_tls:clear_cache().
|
|
|
|
reason_to_fmt({invalid_cert, _, _}) ->
|
|
"Invalid certificate in ~s: ~s";
|
|
reason_to_fmt(_) ->
|
|
"Failed to read PEM file ~s: ~s".
|
|
|
|
-spec log_warnings([{filename(), pkix:error_reason()}]) -> ok.
|
|
log_warnings(Warnings) ->
|
|
lists:foreach(
|
|
fun({File, Reason}) ->
|
|
?WARNING_MSG(reason_to_fmt(Reason),
|
|
[File, pkix:format_error(Reason)])
|
|
end, Warnings).
|
|
|
|
-spec log_errors([{filename(), pkix:error_reason()}]) -> ok.
|
|
log_errors(Errors) ->
|
|
lists:foreach(
|
|
fun({File, Reason}) ->
|
|
?ERROR_MSG(reason_to_fmt(Reason),
|
|
[File, pkix:format_error(Reason)])
|
|
end, Errors).
|
|
|
|
-spec log_cafile_error({filename(), pkix:error_reason()} | undefined) -> ok.
|
|
log_cafile_error({File, Reason}) ->
|
|
?CRITICAL_MSG("Failed to read CA certitificates from ~s: ~s. "
|
|
"Try to change/set option 'ca_file'",
|
|
[File, pkix:format_error(Reason)]);
|
|
log_cafile_error(_) ->
|
|
ok.
|