gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

增加开关,控制是否使用本地证书哈希表。对certstore和debug模式都生效。

Browse Source
This commit is contained in:
zhengchao
2018-11-26 11:45:42 +08:00
parent 4d326c5c52
commit 089499bdd5
1 changed files with 37 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
platform/src/key_keeper.cpp
View File

@@ -22,8 +22,8 @@
#define KEYRING_NOT_EXSITED -1 #define KEYRING_NOT_EXSITED -1
enum key_keeper_mode{ enum key_keeper_mode{
KK_MODE_NORMAL = 0, KK_MODE_CERT_STORE = 0,
KK_MODE_DEBUG, KK_MODE_LOCAL
}; };
struct key_keeper struct key_keeper
@@ -35,13 +35,14 @@ struct key_keeper
unsigned int cert_store_port; unsigned int cert_store_port;
unsigned int hash_slot_size; unsigned int hash_slot_size;
unsigned int hash_expire_seconds; unsigned int hash_expire_seconds;
MESA_htable_handle htable; MESA_htable_handle cert_cache;
void* logger; void* logger;
X509* trusted_ca_cert; X509* trusted_ca_cert;
EVP_PKEY* trusted_ca_key; EVP_PKEY* trusted_ca_key;
X509* untrusted_ca_cert; X509* untrusted_ca_cert;
EVP_PKEY* untrusted_ca_key; EVP_PKEY* untrusted_ca_key;
unsigned int no_cache;
}; };
@@ -56,7 +57,7 @@ struct keyring_private
struct key_keeper_promise_ctx struct key_keeper_promise_ctx
{ {
void* logger; void* logger;
MESA_htable_handle htable; struct key_keeper* ref_keeper;
uchar* key; uchar* key;
struct future* f_certstore_rpc; struct future* f_certstore_rpc;
unsigned int key_len; unsigned int key_len;
@@ -403,7 +404,7 @@ static void certstore_rpc_on_succ(void* result, void* user)
struct key_keeper_promise_ctx* ctx = (struct key_keeper_promise_ctx*)promise_get_ctx(p); struct key_keeper_promise_ctx* ctx = (struct key_keeper_promise_ctx*)promise_get_ctx(p);
// TFE_LOG_INFO(ctx->logger, "certstore rpc success"); // TFE_LOG_INFO(ctx->logger, "certstore rpc success");
future_destroy(ctx->f_certstore_rpc); future_destroy(ctx->f_certstore_rpc);
MESA_htable_handle htable= ctx->htable; MESA_htable_handle htable= ctx->ref_keeper->cert_cache;
const uchar* key = ctx->key; const uchar* key = ctx->key;
unsigned int key_len = ctx->key_len; unsigned int key_len = ctx->key_len;
struct tfe_rpc_response_result* response = tfe_rpc_release(result); struct tfe_rpc_response_result* response = tfe_rpc_release(result);
@@ -420,11 +421,14 @@ static void certstore_rpc_on_succ(void* result, void* user)
promise_failed(p, FUTURE_ERROR_EXCEPTION, "get_keyring_from_response failed"); promise_failed(p, FUTURE_ERROR_EXCEPTION, "get_keyring_from_response failed");
return; return;
} }
keyring_ref_inc(kyr); if(!ctx->ref_keeper->no_cache)
int ret = MESA_htable_add(htable, key, key_len, (void*)kyr);
if(ret<0)
{ {
key_keeper_free_keyring((struct keyring*)kyr); keyring_ref_inc(kyr);
int ret = MESA_htable_add(htable, key, key_len, (void*)kyr);
if(ret<0)
{
key_keeper_free_keyring((struct keyring*)kyr);
}
} }
promise_success(p, (void*)kyr); promise_success(p, (void*)kyr);
key_keeper_free_keyring((struct keyring*)kyr); key_keeper_free_keyring((struct keyring*)kyr);
@@ -481,7 +485,7 @@ static MESA_htable_handle create_hash_table(unsigned int slot_size, unsigned int
void key_keeper_destroy(struct key_keeper *keeper) void key_keeper_destroy(struct key_keeper *keeper)
{ {
MESA_htable_destroy(keeper->htable, NULL); MESA_htable_destroy(keeper->cert_cache, NULL);
X509_free(keeper->trusted_ca_cert); X509_free(keeper->trusted_ca_cert);
EVP_PKEY_free(keeper->trusted_ca_key); EVP_PKEY_free(keeper->trusted_ca_key);
@@ -501,11 +505,11 @@ struct key_keeper* key_keeper_init(const char * profile, const char* section, vo
MESA_load_profile_string_def(profile, section, "mode", tmp, sizeof(tmp), "debug"); MESA_load_profile_string_def(profile, section, "mode", tmp, sizeof(tmp), "debug");
if(strcasecmp(tmp, "debug") == 0) if(strcasecmp(tmp, "debug") == 0)
{ {
keeper->work_mode = KK_MODE_DEBUG; keeper->work_mode = KK_MODE_LOCAL;
} }
else else
{ {
keeper->work_mode = KK_MODE_NORMAL; keeper->work_mode = KK_MODE_CERT_STORE;
} }
MESA_load_profile_string_def(profile, section, "ca_path", keeper->trusted_ca_path, MESA_load_profile_string_def(profile, section, "ca_path", keeper->trusted_ca_path,
@@ -518,12 +522,14 @@ struct key_keeper* key_keeper_init(const char * profile, const char* section, vo
MESA_load_profile_uint_def(profile, section, "cert_store_port", &(keeper->cert_store_port), 80); MESA_load_profile_uint_def(profile, section, "cert_store_port", &(keeper->cert_store_port), 80);
MESA_load_profile_uint_def(profile, section, "hash_slot_size", &(keeper->hash_slot_size), 1024*128); MESA_load_profile_uint_def(profile, section, "hash_slot_size", &(keeper->hash_slot_size), 1024*128);
MESA_load_profile_uint_def(profile, section, "hash_expire_seconds", &(keeper->hash_expire_seconds), 5*60); MESA_load_profile_uint_def(profile, section, "hash_expire_seconds", &(keeper->hash_expire_seconds), 5*60);
keeper->htable = create_hash_table(keeper->hash_slot_size, keeper->hash_expire_seconds); MESA_load_profile_uint_def(profile, section, "no_local_cache", &(keeper->no_cache), 0);
keeper->cert_cache = create_hash_table(keeper->hash_slot_size, keeper->hash_expire_seconds);
if(0==strcmp(keeper->untrusted_ca_path, keeper->trusted_ca_path)) if(0==strcmp(keeper->untrusted_ca_path, keeper->trusted_ca_path))
{ {
TFE_LOG_ERROR(logger, "Warnning: Trusted and Untrusted Root CA share the same path %s .", keeper->trusted_ca_path); TFE_LOG_ERROR(logger, "Warnning: Trusted and Untrusted Root CA share the same path %s .", keeper->trusted_ca_path);
} }
if(keeper->work_mode==KK_MODE_DEBUG) if(keeper->work_mode==KK_MODE_LOCAL)
{ {
keeper->trusted_ca_cert=ssl_x509_load(keeper->trusted_ca_path); keeper->trusted_ca_cert=ssl_x509_load(keeper->trusted_ca_path);
keeper->trusted_ca_key=ssl_key_load(keeper->trusted_ca_path); keeper->trusted_ca_key=ssl_key_load(keeper->trusted_ca_path);
@@ -607,20 +613,23 @@ void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const c
} }
struct key_keeper_promise_ctx* ctx = ALLOC(struct key_keeper_promise_ctx, 1); struct key_keeper_promise_ctx* ctx = ALLOC(struct key_keeper_promise_ctx, 1);
ctx->logger = keeper->logger; ctx->logger = keeper->logger;
ctx->htable = keeper->htable; ctx->ref_keeper = keeper;
ctx->key = key; ctx->key = key;
ctx->key_len = len; ctx->key_len = len;
promise_set_ctx(p, (void*)ctx, key_keeper_promise_free_ctx); promise_set_ctx(p, (void*)ctx, key_keeper_promise_free_ctx);
long int cb_rtn = 0; long int cb_rtn = 0;
MESA_htable_search_cb(ctx->htable, (const unsigned char*)(ctx->key), ctx->key_len, keyring_local_cache_query_cb, p, &cb_rtn); if(!keeper->no_cache)
if(cb_rtn == KEYRING_EXSITED)
{ {
//printf("KEYRING_EXSITED\n"); MESA_htable_search_cb(keeper->cert_cache, (const unsigned char*)(ctx->key), ctx->key_len, keyring_local_cache_query_cb, p, &cb_rtn);
return; if(cb_rtn == KEYRING_EXSITED)
{
//printf("KEYRING_EXSITED\n");
return;
}
} }
switch(keeper->work_mode) switch(keeper->work_mode)
{ {
case KK_MODE_NORMAL: case KK_MODE_CERT_STORE:
{ {
char* origin_cert_pem = transform_cert_to_pem(origin_cert); char* origin_cert_pem = transform_cert_to_pem(origin_cert);
if(origin_cert_pem == NULL) if(origin_cert_pem == NULL)
@@ -656,7 +665,7 @@ void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const c
free(url); free(url);
break; break;
} }
case KK_MODE_DEBUG: case KK_MODE_LOCAL:
{ {
struct keyring_private* kyr=NULL; struct keyring_private* kyr=NULL;
if(is_cert_valid == 1) if(is_cert_valid == 1)
@@ -669,11 +678,14 @@ void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const c
} }
if(kyr) if(kyr)
{ {
keyring_ref_inc(kyr); if(!keeper->no_cache)
int ret = MESA_htable_add(ctx->htable, ctx->key, ctx->key_len, (void*)kyr);
if(ret < 0)
{ {
key_keeper_free_keyring((struct keyring*)kyr); keyring_ref_inc(kyr);
int ret = MESA_htable_add(ctx->ref_keeper->cert_cache, ctx->key, ctx->key_len, (void*)kyr);
if(ret < 0)
{
key_keeper_free_keyring((struct keyring*)kyr);
}
} }
promise_success(p, (void*)kyr); promise_success(p, (void*)kyr);
key_keeper_free_keyring((struct keyring*)kyr); key_keeper_free_keyring((struct keyring*)kyr);