icing
diff --git a/‎configure.ac‎
Lines changed: 3 additions & 0 deletions b/‎configure.ac‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎src/Makefile.am‎
Lines changed: 2 additions & 0 deletions b/‎src/Makefile.am‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/md_acme_drive.c‎
Lines changed: 11 additions & 1 deletion b/‎src/md_acme_drive.c‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎src/md_core.c‎
Lines changed: 1 addition & 1 deletion b/‎src/md_core.c‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/md_crypt.c‎
Lines changed: 52 additions & 0 deletions b/‎src/md_crypt.c‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎src/md_crypt.h‎
Lines changed: 11 additions & 0 deletions b/‎src/md_crypt.h‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎src/md_curl.c‎
Lines changed: 3 additions & 0 deletions b/‎src/md_curl.c‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎src/md_http.c‎
Lines changed: 7 additions & 0 deletions b/‎src/md_http.c‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎src/md_http.h‎
Lines changed: 7 additions & 0 deletions b/‎src/md_http.h‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎src/md_reg.c‎
Lines changed: 17 additions & 5 deletions b/‎src/md_reg.c‎
Lines changed: 17 additions & 5 deletions
@@ -260,6 +260,9 @@ AC_SUBST(MODULE_SRC)
 ACME_DEF_URL=https://acme-v02.api.letsencrypt.org/directory
 AC_SUBST(ACME_DEF_URL)
 
+TAILSCALE_DEF_URL="file://localhost/var/run/tailscale/tailscaled.sock"
+AC_SUBST(TAILSCALE_DEF_URL)
+
 # it must be configurable without an ACME test server installed
 ACME_TEST_TYPE="none"
 ACME_TEST_URL="none"
 
@@ -47,6 +47,7 @@ A2LIB_OBJECTS = \
     md_status.c \
     md_store.c \
     md_store_fs.c \
+    md_tailscale.c \
     md_time.c \
     md_util.c
 
@@ -70,6 +71,7 @@ A2LIB_HFILES = \
     md_status.h \
     md_store.h \
     md_store_fs.h \
+    md_tailscale.h \
     md_time.h \
     md_util.h \
     md.h
 
@@ -1036,9 +1036,19 @@ static apr_status_t acme_driver_preload(md_proto_driver_t *d,
     return rv;
 }
 
+static apr_status_t acme_complete_md(md_t *md, apr_pool_t *p)
+{
+    (void)p;
+    if (!md->ca_url) {
+        md->ca_url = MD_ACME_DEF_URL;
+    }
+    return APR_SUCCESS;
+}
+
 static md_proto_t ACME_PROTO = {
     MD_PROTO_ACME, acme_driver_init, acme_driver_renew, 
-    acme_driver_preload_init, acme_driver_preload
+    acme_driver_preload_init, acme_driver_preload,
+    acme_complete_md,
 };
 
 apr_status_t md_acme_protos_add(apr_hash_t *protos, apr_pool_t *p)
 
@@ -427,7 +427,7 @@ apr_status_t md_get_ca_url_from_name(const char **purl, apr_pool_t *p, const cha
         }
     }
     *purl = name;
-    rv = md_util_abs_http_uri_check(p, name, &err);
+    rv = md_util_abs_uri_check(p, name, &err);
     if (APR_SUCCESS != rv) {
         apr_array_header_t *names;
 
 
@@ -709,6 +709,53 @@ apr_status_t md_pkey_fsave(md_pkey_t *pkey, apr_pool_t *p,
     return rv;
 }
 
+apr_status_t md_pkey_read_http(md_pkey_t **ppkey, apr_pool_t *pool,
+                               const struct md_http_response_t *res)
+{
+    apr_status_t rv;
+    apr_off_t data_len;
+    char *pem_data;
+    apr_size_t pem_len;
+    md_pkey_t *pkey;
+    BIO *bf;
+    passwd_ctx ctx;
+
+    rv = apr_brigade_length(res->body, 1, &data_len);
+    if (APR_SUCCESS != rv) goto leave;
+    if (data_len > 1024*1024) { /* certs usually are <2k each */
+        rv = APR_EINVAL;
+        goto leave;
+    }
+    rv = apr_brigade_pflatten(res->body, &pem_data, &pem_len, res->req->pool);
+    if (APR_SUCCESS != rv) goto leave;
+
+    if (NULL == (bf = BIO_new_mem_buf(pem_data, (int)pem_len))) {
+        rv = APR_ENOMEM;
+        goto leave;
+    }
+    pkey = make_pkey(pool);
+    ctx.pass_phrase = NULL;
+    ctx.pass_len = 0;
+    ERR_clear_error();
+    pkey->pkey = PEM_read_bio_PrivateKey(bf, NULL, NULL, &ctx);
+    BIO_free(bf);
+
+    if (pkey->pkey == NULL) {
+        unsigned long err = ERR_get_error();
+        rv = APR_EINVAL;
+        md_log_perror(MD_LOG_MARK, MD_LOG_WARNING, rv, pool,
+                      "error loading pkey from http response: %s",
+                      ERR_error_string(err, NULL));
+        goto leave;
+    }
+    rv = APR_SUCCESS;
+    apr_pool_cleanup_register(pool, pkey, pkey_cleanup, apr_pool_cleanup_null);
+
+leave:
+    *ppkey = (APR_SUCCESS == rv)? pkey : NULL;
+    return rv;
+}
+
 /* Determine the message digest used for signing with the given private key. 
  */
 static const EVP_MD *pkey_get_MD(md_pkey_t *pkey)
@@ -1137,6 +1184,11 @@ const char *md_cert_get_serial_number(const md_cert_t *cert, apr_pool_t *p)
     return s;
 }
 
+int md_certs_are_equal(const md_cert_t *a, const md_cert_t *b)
+{
+    return X509_cmp(a->x509, b->x509) == 0;
+}
+
 int md_cert_is_valid_now(const md_cert_t *cert)
 {
     return ((X509_cmp_current_time(X509_get_notBefore(cert->x509)) < 0)
 
@@ -117,6 +117,12 @@ void *md_pkey_get_EVP_PKEY(struct md_pkey_t *pkey);
 apr_status_t md_crypt_hmac64(const char **pmac64, const struct md_data_t *hmac_key,
                              apr_pool_t *p, const char *d, size_t dlen);
 
+/**
+ * Read a private key from a http response.
+ */
+apr_status_t md_pkey_read_http(md_pkey_t **ppkey, apr_pool_t *pool,
+                               const struct md_http_response_t *res);
+
 /**************************************************************************************************/
 /* X509 certificates */
 
@@ -179,6 +185,11 @@ apr_time_t md_cert_get_not_after(const md_cert_t *cert);
 apr_time_t md_cert_get_not_before(const md_cert_t *cert);
 struct md_timeperiod_t md_cert_get_valid(const md_cert_t *cert);
 
+/**
+ * Return != 0 iff the hash values of the certificates are equal.
+ */
+int md_certs_are_equal(const md_cert_t *a, const md_cert_t *b);
+
 apr_status_t md_cert_get_issuers_uri(const char **puri, const md_cert_t *cert, apr_pool_t *p);
 apr_status_t md_cert_get_alt_names(apr_array_header_t **pnames, const md_cert_t *cert, apr_pool_t *p);
 
 
@@ -301,6 +301,9 @@ static apr_status_t internals_setup(md_http_request_t *req)
     if (req->ca_file) {
         curl_easy_setopt(curl, CURLOPT_CAINFO, req->ca_file);
     }
+    if (req->unix_socket_path) {
+        curl_easy_setopt(curl, CURLOPT_UNIX_SOCKET_PATH, req->unix_socket_path);
+    }
 
     if (req->body_len >= 0) {
         /* set the Content-Length */
 
@@ -33,6 +33,7 @@ struct md_http_t {
     void *impl_data;         /* to be used by the implementation */
     const char *user_agent;
     const char *proxy_url;
+    const char *unix_socket_path;
     md_http_timeouts_t timeout;
     const char *ca_file;
 };
@@ -143,6 +144,11 @@ void md_http_set_ca_file(md_http_t *http, const char *ca_file)
     http->ca_file = ca_file;
 }
 
+void md_http_set_unix_socket_path(md_http_t *http, const char *path)
+{
+    http->unix_socket_path = path;
+}
+
 static apr_status_t req_set_body(md_http_request_t *req, const char *content_type,
                                  apr_bucket_brigade *body, apr_off_t body_len,
                                  int detect_len)
@@ -211,6 +217,7 @@ static apr_status_t req_create(md_http_request_t **preq, md_http_t *http,
     req->proxy_url = http->proxy_url;
     req->timeout = http->timeout;
     req->ca_file = http->ca_file;
+    req->unix_socket_path = http->unix_socket_path;
     *preq = req;
     return rv;
 }
 
@@ -65,6 +65,7 @@ struct md_http_request_t {
     const char *user_agent;
     const char *proxy_url;
     const char *ca_file;
+    const char *unix_socket_path;
     apr_table_t *headers;
     struct apr_bucket_brigade *body;
     apr_off_t body_len;
@@ -117,6 +118,12 @@ void md_http_set_stalling(md_http_request_t *req, long bytes_per_sec, apr_time_t
  */
 void md_http_set_ca_file(md_http_t *http, const char *ca_file);
 
+/**
+ * Set the path of a unix domain socket for use instead of TCP
+ * in a connection. Disable by providing NULL as path.
+ */
+void md_http_set_unix_socket_path(md_http_t *http, const char *path);
+
 /**
  * Perform the request. Then this function returns, the request and
  * all its memory has been freed and must no longer be used.
 
@@ -33,6 +33,7 @@
 #include "md_reg.h"
 #include "md_store.h"
 #include "md_status.h"
+#include "md_tailscale.h"
 #include "md_util.h"
 
 #include "md_acme.h"
@@ -98,7 +99,8 @@ apr_status_t md_reg_create(md_reg_t **preg, apr_pool_t *p, struct md_store_t *st
     md_timeslice_create(&reg->renew_window, p, MD_TIME_LIFE_NORM, MD_TIME_RENEW_WINDOW_DEF); 
     md_timeslice_create(&reg->warn_window, p, MD_TIME_LIFE_NORM, MD_TIME_WARN_WINDOW_DEF); 
 
-    if (APR_SUCCESS == (rv = md_acme_protos_add(reg->protos, p))) {
+    if (APR_SUCCESS == (rv = md_acme_protos_add(reg->protos, p))
+        && APR_SUCCESS == (rv = md_tailscale_protos_add(reg->protos, p))) {
         rv = load_props(reg, p);
     }
 
@@ -901,12 +903,22 @@ apr_status_t md_reg_sync_finish(md_reg_t *reg, md_t *md, apr_pool_t *p, apr_pool
     md_t *old;
     apr_status_t rv;
     int changed = 1;
+    md_proto_t *proto;
 
-    if (!md->ca_url) {
-        md->ca_url = MD_ACME_DEF_URL;
-        md->ca_proto = MD_PROTO_ACME; 
+    if (!md->ca_proto) {
+        md->ca_proto = MD_PROTO_ACME;
+    }
+    proto = apr_hash_get(reg->protos, md->ca_proto, (apr_ssize_t)strlen(md->ca_proto));
+    if (!proto) {
+        rv = APR_ENOTIMPL;
+        md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, ptemp,
+                      "[%s] uses unknown CA protocol '%s'",
+                      md->name, md->ca_proto);
+        goto leave;
     }
-    
+    rv = proto->complete_md(md, p);
+    if (APR_SUCCESS != rv) goto leave;
+
     rv = state_init(reg, p, md);
     if (APR_SUCCESS != rv) goto leave;
Original file line number	Diff line number	Diff line change
`@@ -427,7 +427,7 @@ apr_status_t md_get_ca_url_from_name(const char *purl, apr_pool_t p, const cha`
`427`	`427`	`}`
`428`	`428`	`}`
`429`	`429`	`*purl = name;`
`430`		`- rv = md_util_abs_http_uri_check(p, name, &err);`
	`430`	`+ rv = md_util_abs_uri_check(p, name, &err);`
`431`	`431`	`if (APR_SUCCESS != rv) {`
`432`	`432`	`apr_array_header_t *names;`
`433`	`433`
Original file line number	Diff line number	Diff line change
`@@ -301,6 +301,9 @@ static apr_status_t internals_setup(md_http_request_t *req)`
`301`	`301`	`if (req->ca_file) {`
`302`	`302`	`curl_easy_setopt(curl, CURLOPT_CAINFO, req->ca_file);`
`303`	`303`	`}`
	`304`	`+ if (req->unix_socket_path) {`
	`305`	`+ curl_easy_setopt(curl, CURLOPT_UNIX_SOCKET_PATH, req->unix_socket_path);`
	`306`	`+ }`
`304`	`307`
`305`	`308`	`if (req->body_len >= 0) {`
`306`	`309`	`/* set the Content-Length */`