From 2ad1b5c977c6c23d1e4fc8c486bd0805ee020c5b Mon Sep 17 00:00:00 2001 From: fengweihao Date: Thu, 26 Jul 2018 17:18:00 +0800 Subject: [PATCH] =?UTF-8?q?1.=E5=88=A0=E9=99=A4Make=E4=B8=AD=E5=AF=B9?= =?UTF-8?q?=E5=88=86=E5=B8=83=E5=BC=8F=E9=94=81=E7=9A=84=E7=BC=96=E8=AF=91?= =?UTF-8?q?=202.=E4=BF=AE=E6=94=B9=E8=AF=BB=E5=8F=96=E8=AF=81=E4=B9=A6?= =?UTF-8?q?=E6=A0=BC=E5=BC=8F=E6=8E=A5=E5=8F=A3=203.=E4=BF=AE=E6=94=B9?= =?UTF-8?q?=E7=AD=BE=E5=8F=91=E8=AF=81=E4=B9=A6=E6=96=B9=E5=BC=8F=204.?= =?UTF-8?q?=E4=BF=AE=E6=94=B9=E8=8E=B7=E5=8F=96=E7=AD=BE=E5=8F=91=E8=AF=81?= =?UTF-8?q?=E4=B9=A6=E7=A7=81=E9=92=A5=E6=8E=A5=E5=8F=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ca/ca.cer | Bin 688 -> 871 bytes ca/private.key | 26 ++-- src/Makefile | 4 - src/cert_session.c | 312 ++++++++++++++++++++++++--------------------- 4 files changed, 178 insertions(+), 164 deletions(-) diff --git a/ca/ca.cer b/ca/ca.cer index 6cc0755d89d6b0257c52194d65491fb43a10296d..b1765679e274246154dd32cda91a0b5cf7f8d44b 100644 GIT binary patch literal 871 zcmZvbJCmYN5QTGo#pcwMfS?dea9<$EHx!z z`Yl6#f+OEI2(vI3RwSe&9EfXz09&T17m- zULu`@eMn*o*DnZ%3g(V0c3GX5X?>a{aqyi=BNPMo-PlqniOP05LSyg)NMArMt@YbB zM6h{H`k6Y>!N{n5z>4IEii7}p<}4RtVp_X6%fI5(?dEH4&_zSQR1v3h^^iyX)S2Sq z7GH`))3iY+3lD!?`k*{+qH1nEt|aT!%$a)HSxpXuv*51G*_WLZFO%#n>{jJH&XJfM z>RX$yJ1+|z;o&ck5Lzp0PZg_*E=6y7fS64$X-blE^-@|BhT5gPU0JHU-!^x5GCPhZ zK>!H3S!;&#B58Hs>m8VDPXvh2-*jFwwVSH|1~Fppb3W^n{tqg%dV& zRor-&#Kh^{HN@4*cf5!j94)f!RZYJ2c*ic*PL_Bnunjc_w@p(ZVRkm{fM}kJEmwW8 zb9>A!*!B`17>Aq|oW$f=HG>C_&nMXCRVTB8+Fbd4TKbcq5d`r0$-Ul&IQZXJ`VCJ? B5KI67 literal 688 zcmXqLVp?O+#3Z_anTe5!iId@8;zJp}v`-ric-c6$+C196^D;7WvoaXu8*&?PvN4CU zun99c`xy!w2!c2qJY2bz1x5K~nR&^nhWtQHKtXmMw%p3(%#un&aRX7102dEmZe@N^ zdSYH?RbokIex9L#0Ut<$n}C%u7Y7*l8OQ>|RhExMj78+}^C!u(bY6c*dN`LSg0VNIHgQ&~fjmfBnMJ}t ztO2_M9*_cI7FGjhM#lfh9tI`?W}r{|thlGthF(cY5&apvfM>^7$ql*F{{Lqw=~s(r z)m^N0@3&)3`-TRG9e1bjG(Y&^!+5s;+{6am1wp*q5@+`POxv|i!itCQqjD?bp7l?U zsKl%3n9Q^F^ diff --git a/ca/private.key b/ca/private.key index 6bc9b36..75fc6b2 100644 --- a/ca/private.key +++ b/ca/private.key @@ -1,15 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIICXAIBAAKBgQDSUISXQpxxynP+3G67oEGsbQVhica8kQOC8KJFJ7FpeRfIIBmF -ygA2LlhLDbTP6OSDHGpkPrBGBOmhEqui+HYaz9Fs/gSIwf1o5FNDUtSEuUZxmUir -3AWmYu1TVtGVFchacZgxBp+qX6GuIrMqBr0ilQxvI+e4jtD7f8UvhE4hbwIDAQAB -AoGAGbiNLq6P0X7QBthQlpO31G2U3ePqsT8O7eGeBtUe5mZP2ULLvEgDFJ1AYRVx -CohSAhLklBPynO2W4QMWiJzYXKBSMrl42j1ZxruP8HJcPXqVeoJURG8rToqJPbtv -0CYCPqY1zcYQEJXtE3BPxs8Z/4lPQyD1te8+UJ6tLWUQYwECQQDpZxG2AuOHimSA -7WioppNAvNvKHo2odPI4NLO1vhu8maoJbDpQi8CuSE5wOiob+TejFYXMvhqkgBnB -GU8z+vbvAkEA5q00rRxCwB4+0+7w2oPNq+4xjixs2yGgFOGP7MnlseZChLYzdzFf -dM0tULJ0wgQQqBfsbnvl4LnXZYBGlAt9gQJAbFOi+7fxhEnuBYyqg4P0WhqNZAy0 -MJg+h2mmctaOJwWmzoLFufZy8jCq/xlvy9XqRa3KkNE2qlyuF1o40WZMTwJBAIbx -/qXiqX4Ac5rB5m6+ulwBPUZB4PCUjDSK/Ap21gOrg3BlslfhL0mCGidiLoGtpRzg -2fSMUJ+VuFdtolxLGIECQHiCXHaLTxk+Yt5KACNMOgdMcdKjuQ/XktDD2SJ87LnP -W7ZrSVKks9jhreGq/uJ72edP3yJzHiEiMPu/8/4nJkA= +MIICXgIBAAKBgQDjo0ofVgglpdx19ds6/tTMXUbQMznXfvyJ1XLc3cOC1eqBj333 +MUQc8N+rJGGRZWPsnGsRy/xw3c/2jxiLM0evA16G/ZcphyjRpKG5d0LVyKa2x1S8 +9xM3TFAcLRMlIwvfkmNWqDIk8AQifLb3lhuYrZQTAKwrhlInzh5me47/qQIDAQAB +AoGBAKXM61IDoY96TScF2ZYQwgHP9qHyjbCt51alRzIjvCFxmYqgbwk6sve5YdAP +gZkbFjriewHNZ6L1jGFzPFc3FH++8WF1ThhGs4rAfe4rexA2gx1XZLqy+UPLECiK +/xebOwarLSQoB9V6A+quLU1CD/rNt2IeQL3N5LNBlDlwn2LhAkEA8+R2Ib+xZ+hn +CrWAdiEONfOVdNWMwfyAaMC3DlHjMAYuWEIBcTXQui8L6ddv5JkxPw3Z8Aae72ff +09OtnjGrFQJBAO7wQTKYycETzzkCOqYPiT70Mg1gnk/9cIjcRWhWhNXofxIZ9PaQ +kP71+z47ydAB/0Wq5Xe7DgHficUoVCnZF0UCQEjY6WwFLMEjinuJYPhnwS3eNrrx ++hwLBnPDdCnjzZ8PiZI1DOc6ssCZws4y2ioGk84Inhryb1CEzzcfF9GTdk0CQQDo +6XHkbGNevnylSbL55PMYVtnjiGdJ+fcUsgNGbfAWxAf6EStkng95OTart4RGK2w2 +8Ru11rUUxl55vZItKN0xAkEAsLEqmoX/hl2PO807nQEAsDlWCsTRGawl/hz2Gq+n +boD5yf2eW3n51Rn60cGgrInu1VifVamlQJq4zwdvJ2zjcg== -----END RSA PRIVATE KEY----- diff --git a/src/Makefile b/src/Makefile index 5b67971..f093a1c 100644 --- a/src/Makefile +++ b/src/Makefile @@ -36,10 +36,6 @@ dir := ./components/syslogd include $(dir)/syslog.mk OBJS += $(OBJS_$(dir)) -dir := ./components/redis -include $(dir)/redis.mk -OBJS += $(OBJS_$(dir)) - dir := ./rt include $(dir)/rt.mk OBJS += $(OBJS_$(dir)) diff --git a/src/cert_session.c b/src/cert_session.c index 23e91dc..0a2524e 100644 --- a/src/cert_session.c +++ b/src/cert_session.c @@ -100,7 +100,7 @@ ssl_x509_serial_copyrand(X509 *dstcrt, X509 *srccrt) { ASN1_INTEGER *srcptr, *dstptr; BIGNUM *bnserial; - unsigned int rand; + long rand; int rv; #ifndef PURIFY @@ -160,7 +160,7 @@ ssl_x509_v3ext_copy_by_nid(X509 *crt, X509 *origcrt, int nid) } X509 * -x509_modify_by_cert(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, EVP_PKEY *key, +x509_modify_by_cert_bak(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, EVP_PKEY *key, int days, const char *extraname, const char *crlurl) { X509_NAME *subject, *issuer; @@ -409,7 +409,7 @@ finish: return; } -void x509_get_pubkey_form_ca(X509 *crt, char *pubkey) +void x509_get_private_key(EVP_PKEY *pkey, char *pubkey) { BIO *bp = NULL; int len = 0; @@ -419,38 +419,26 @@ void x509_get_pubkey_form_ca(X509 *crt, char *pubkey) goto finish; } - EVP_PKEY * pkey = X509_get_pubkey(crt); - if (pkey == NULL) { - mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Error getting public key"); - goto free_err; - } - PEM_write_bio_PUBKEY(bp, pkey); + PEM_write_bio_PrivateKey(bp, pkey, NULL, NULL, 0, NULL, NULL); len = BIO_read(bp, pubkey, SG_DATA_SIZE); if(len <= 0) { mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Error reading signature file"); - goto free_key; + goto free_err; } pubkey[len] = '\0'; -free_key: - EVP_PKEY_free(pkey); + free_err: BIO_free(bp); finish: return; } -static void callback(int __attribute__((__unused__))p, int __attribute__((__unused__))n, - void __attribute__((__unused__))*arg) -{ - return; -} - /* * Add extension using V3 code: we can set the config file as NULL because we * wont reference any other sections. */ -int add_ext(X509 *cert, int nid, char *value) +int add_ext(X509 *cacrt, X509 *cert, int nid, char *value) { X509_EXTENSION *ex; X509V3_CTX ctx; @@ -461,7 +449,7 @@ int add_ext(X509 *cert, int nid, char *value) * Issuer and subject certs: both the target since it is self signed, no * request and no CRL */ - X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0); + X509V3_set_ctx(&ctx, cacrt, cert, NULL, NULL, 0); ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value); if (!ex) return 0; @@ -471,102 +459,6 @@ int add_ext(X509 *cert, int nid, char *value) return 1; } -int mkcert(X509 **x509p, EVP_PKEY **pkeyp, int bits, - int serial, char *host, int days) -{ - X509 *x; - EVP_PKEY *pk; - RSA *rsa; - X509_NAME *name = NULL; - - if ((pkeyp == NULL) || (*pkeyp == NULL)) { - if ((pk = EVP_PKEY_new()) == NULL) { - abort(); - return (0); - } - } else - pk = *pkeyp; - - if ((x509p == NULL) || (*x509p == NULL)) { - if ((x = X509_new()) == NULL) - goto err; - } else - x = *x509p; - - rsa = RSA_generate_key(bits, RSA_F4, callback, NULL); - if (!EVP_PKEY_assign_RSA(pk, rsa)) { - abort(); - goto err; - } - rsa = NULL; - - X509_set_version(x, 2); - ASN1_INTEGER_set(X509_get_serialNumber(x), serial); - X509_gmtime_adj(X509_get_notBefore(x), 0); - X509_gmtime_adj(X509_get_notAfter(x), (long)60 * 60 * 24 * days); - X509_set_pubkey(x, pk); - - name = X509_get_subject_name(x); - - /* - * This function creates and adds the entry, working out the correct - * string type and performing checks on its length. Normally we'd check - * the return value for errors... - */ - X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, (const unsigned char *)"UK", -1, -1, 0); - X509_NAME_add_entry_by_txt(name, "CN", - MBSTRING_ASC, (const unsigned char *)host, -1, -1, 0); - - /* - * Its self signed so set the issuer name to be the same as the subject. - */ - X509_set_issuer_name(x, name); - - /* Add various extensions: standard extensions */ - add_ext(x, NID_basic_constraints, "critical,CA:TRUE"); - add_ext(x, NID_key_usage, "critical,keyCertSign,cRLSign"); - - add_ext(x, NID_subject_key_identifier, "hash"); - - /* Some Netscape specific extensions */ - add_ext(x, NID_netscape_cert_type, "sslCA"); - - add_ext(x, NID_netscape_comment, "example comment extension"); - -#ifdef CUSTOM_EXT - /* Maybe even add our own extension based on existing */ - { - int nid; - nid = OBJ_create("1.2.3.4", "MyAlias", "My Test Alias Extension"); - X509V3_EXT_add_alias(nid, NID_netscape_comment); - add_ext(x, nid, "example comment alias"); - } -#endif - - if (!X509_sign(x, pk, EVP_sha1())) - goto err; - - *x509p = x; - *pkeyp = pk; - return (1); - err: - return (0); -} - -X509 *x509_create_cert(char *host, int days) -{ - X509 *x509 = NULL; - EVP_PKEY *pkey = NULL; - - CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); - - mkcert(&x509, &pkey, 1024, 0, host, days); - - EVP_PKEY_free(pkey); - - return x509; -} - #if 0 static int fs_internal_operate(int id, int id2, int column_id, int column_id2, long long diffTime) { @@ -589,6 +481,7 @@ finish: } #endif +static int redis_rsync_init(struct event_base *base, struct redisAsyncContext **cl_ctx) { int xret = -1; @@ -652,7 +545,7 @@ redis_reget_callback(redisAsyncContext __attribute__((__unused__))*cl_ctx, return; } -static void +static void __attribute__((__unused__)) redis_set_callback(redisAsyncContext *cl_ctx, void *r, void *privdata) { @@ -700,28 +593,155 @@ finish: return; } -int x509_online_append(char *host, EVP_PKEY *key, X509 *root, char *ca_s, char *pubkey) +static +int create_client_key(EVP_PKEY** pkey, char *pubkey, int bits) { - int xret = -1; - struct config_bucket_t *rte = cert_default_config(); + RSA *rsa = NULL; + EVP_PKEY *pk = NULL; - X509* ca = x509_create_cert(host, rte->days); - if (!ca){ - goto finish; - } - X509* x509 = x509_modify_by_cert(root, key, ca, X509_get_pubkey(root), - rte->days, NULL, NULL); - if (!x509){ + if((pk = EVP_PKEY_new()) == NULL){ + mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "create_client_key, gen new key failed!"); goto err; } - x509_get_pubkey_form_ca(x509, pubkey); + + rsa = RSA_generate_key(bits, RSA_F4, NULL, NULL); + if(!EVP_PKEY_assign_RSA(pk, rsa)){ + mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "create_client_key, assign key failed!"); + EVP_PKEY_free(pk); + goto err; + } + x509_get_private_key(pk, pubkey); + rsa = NULL; + + *pkey = pk; + return 1; + +err: + return 0; +} + +int add_cert_ctx(X509_NAME* name, char* ctx[], int num) +{ + int i = 0; + int max = 0; + + int item[] = {NID_commonName, NID_countryName, + NID_stateOrProvinceName, NID_localityName, + NID_organizationName, NID_organizationalUnitName, + NID_pkcs9_emailAddress}; + + max = sizeof(item)/sizeof(item[0]); + max = max > num ? num : max; + + for(i = 0; i< max; ++i){ + if(!X509_NAME_add_entry_by_NID(name, item[i], MBSTRING_UTF8, (unsigned char *)ctx[i], -1, -1, 0)){ + mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "add_cert_ctx, add entry:%d to %s failed!", item[i], ctx[i]); + return 0; + } + } + + return 1; +} + +int rand_serial(BIGNUM *b, ASN1_INTEGER *ai) +{ +#define SERIAL_RAND_BITS 124 + BIGNUM *btmp; + int ret = 0; + if (b) + btmp = b; + else + btmp = BN_new(); + if (!btmp) + return 0; + if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0)) + goto error; + if (ai && !BN_to_ASN1_INTEGER(btmp, ai)) + goto error; + ret = 1; + + error: + if (!b) + BN_free(btmp); + return ret; +} + +X509 *x509_modify_by_cert(X509 *cacrt, EVP_PKEY *cakey, const char* host, + char *pubkey, const int days) +{ + X509* x = NULL; + EVP_PKEY* pk = NULL; + + char* ctx[] = {(char*)host, "CN", "mystate", + "mycity", "myorganization", "mygroup", + "sample@sample.com"}; + + if(!create_client_key(&pk, pubkey, 1024)){ + goto err; + } + + if((x = X509_new()) == NULL){ + goto err; + } + + if (!X509_set_version(x, 0x02)){ + goto err; + } + + if (!X509_set_version(x, 0x02) || + !X509_set_issuer_name(x, X509_get_subject_name(cacrt)) || + !rand_serial(NULL, X509_get_serialNumber(x)) || + !X509_gmtime_adj(X509_get_notBefore(x), 0L) || + !X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL) || + !X509_set_pubkey(x, pk) || + !add_cert_ctx(X509_get_subject_name(x), ctx, 7)) + goto err; +#if 1 + + /* Add various extensions: standard extensions */ + add_ext(cacrt, x, NID_basic_constraints, "critical,CA:FALSE"); + add_ext(cacrt, x, NID_subject_key_identifier, "hash"); + add_ext(cacrt, x, NID_key_usage, "Digital Signature, Key Encipherment, Data Encipherment"); + + /**/ + + add_ext(cacrt, x, NID_authority_key_identifier, "keyid:always"); + + add_ext(cacrt, x, NID_ext_key_usage, "serverAuth,clientAuth"); + /*NID_certificate_policies*/ +/* + char dns[128] = {0}, domain[16] = {0}; + sscanf(host, "%*[^.].%[^.]", domain); + snprintf(dns, 127, "DNS:%s.com, DNS:*.%s.com, DNS:www.%s.cn", domain, domain, domain); + add_ext(cacrt, x, NID_subject_alt_name, dns); +*/ +#endif + if(!X509_sign(x, cakey, EVP_sha256())){ + goto err; + } + return x; + +err: + if(x) + X509_free(x); + if(pk) + EVP_PKEY_free(pk); + return NULL; +} + +int x509_online_append(char *host, EVP_PKEY *key, X509 *root, char *ca_s, char *pubkey) +{ + struct config_bucket_t *rte = cert_default_config(); + + X509* x509 = x509_modify_by_cert(root, key, host, pubkey, rte->days); + if (!x509){ + goto finish; + } x509_get_msg_from_ca(x509, ca_s); X509_free(x509); -err: - X509_free(ca); finish: - return xret; + return 0; } static char readBytes(char *str) @@ -855,7 +875,7 @@ finish: void redis_get_callback(redisAsyncContext *c, void *r, void *privdata) { - int __attribute__((__unused__))xret = -1; + int __attribute__((__unused__))xret = -1; redisReply *reply = (redisReply*)r; struct request_t *request = (struct request_t *)privdata; @@ -881,7 +901,7 @@ void redis_get_callback(redisAsyncContext *c, void *r, void *privdata) int x509_privatekey_init(EVP_PKEY **key, X509 **root) { - int xret = -1, len = 0; + int xret = -1; FILE *fp; RSA *rsa = NULL; char key_path[128] = {0}, cert_path[128] = {0}; struct config_bucket_t *rte = cert_default_config(); @@ -899,7 +919,6 @@ int x509_privatekey_init(EVP_PKEY **key, X509 **root) goto pkey_free; } - unsigned char buf[SG_DATA_SIZE],*p; fp = fopen(key_path, "r"); if (NULL == fp){ mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to open file(%s)", key_path); @@ -913,21 +932,20 @@ int x509_privatekey_init(EVP_PKEY **key, X509 **root) } fclose(fp); - fp = fopen(cert_path, "rb"); - if (NULL == fp){ + BIO *in; + in = BIO_new_file(cert_path, "r"); + if (!in){ mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to open file(%s)", cert_path); goto pkey_free; } - len = fread(buf, 1, SG_DATA_SIZE, fp); - fclose(fp); - p = buf; - *root = X509_new(); - if ( d2i_X509(root, (const unsigned char**)&p, len) == NULL ) + if ((*root = PEM_read_bio_X509(in, NULL, 0, NULL)) == NULL ) { mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Application for x509 failed"); goto pkey_free; } + BIO_free(in); + xret = 0; goto finish; @@ -938,10 +956,10 @@ finish: } static int -rt_decode_uri(const char *uri, char *host, +ev_decode_uri(const char *uri, char *host, int *flag, int *valid) { - const char *fg = NULL, *vl = NULL, *ht = NULL; + const char *fg = NULL, *vl = NULL, *hst = NULL; char *decoded_uri = NULL; struct evkeyvalq params; @@ -952,9 +970,9 @@ rt_decode_uri(const char *uri, char *host, evhttp_parse_query(decoded_uri, ¶ms); - ht = evhttp_find_header(¶ms, "host"); - if (ht[0] != '\0') - memcpy(host, ht, strlen(ht)); + hst = evhttp_find_header(¶ms, "host"); + if (hst[0] != '\0') + memcpy(host, hst, strlen(hst)); fg = evhttp_find_header(¶ms, "flag"); if (fg) @@ -1016,7 +1034,7 @@ pthread_work_proc(struct evhttp_request *evh_req, void *arg) FS_internal_operate(SGstats.handle, t->column_ids, SGstats.line_ids[0], FS_OP_ADD, 1); - rt_decode_uri(uri, request->host, &request->flag, &request->valid); + ev_decode_uri(uri, request->host, &request->flag, &request->valid); mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "[Thread %d]Received a %s request for %s, host:%s, flag:%d, valid:%d\nHeaders:", request->t_id, cmdtype, uri, request->host, request->flag, request->valid);