diff --git a/platform/CMakeLists.txt b/platform/CMakeLists.txt index a17c417..8f41fa4 100644 --- a/platform/CMakeLists.txt +++ b/platform/CMakeLists.txt @@ -36,7 +36,7 @@ endif() install(TARGETS tfe RUNTIME DESTINATION bin COMPONENT Program) ### test_key_keeper -add_executable(test_key_keeper test/test_key_keeper.cpp src/key_keeper.cpp src/ssl_sess_cache.cpp src/ssl_utils.cc ) +add_executable(test_key_keeper test/test_key_keeper.cpp src/key_keeper.cpp src/ssl_sess_cache.cpp src/ssl_utils.cpp ) target_include_directories(test_key_keeper PRIVATE ${CMAKE_CURRENT_LIST_DIR}/include/internal) @@ -55,7 +55,7 @@ target_link_libraries(test_key_keeper pthread dl MESA_field_stat) ### test_tfe_rpc -add_executable(test_tfe_rpc test/test_tfe_rpc.cpp src/key_keeper.cpp src/ssl_sess_cache.cpp src/ssl_utils.cc) +add_executable(test_tfe_rpc test/test_tfe_rpc.cpp src/key_keeper.cpp src/ssl_sess_cache.cpp src/ssl_utils.cpp) target_include_directories(test_tfe_rpc PRIVATE ${CMAKE_CURRENT_LIST_DIR}/include/internal) @@ -74,7 +74,7 @@ target_link_libraries(test_tfe_rpc pthread dl MESA_field_stat) ### test_chello_parse -add_executable(test_chello_parse test/test_chello_parse.cpp src/ssl_utils.cc) +add_executable(test_chello_parse test/test_chello_parse.cpp src/ssl_utils.cpp) target_include_directories(test_chello_parse PRIVATE ${CMAKE_CURRENT_LIST_DIR}/include/internal) diff --git a/platform/include/internal/ssl_utils.h b/platform/include/internal/ssl_utils.h index 1896de1..3e7a7fc 100644 --- a/platform/include/internal/ssl_utils.h +++ b/platform/include/internal/ssl_utils.h @@ -204,7 +204,7 @@ struct ssl_chello char* cipher_suites; char* cipher_suites_tls13; }; -struct ssl_chello* ssl_chello_parse(const unsigned char* buff, size_t buff_len, enum chello_parse_result* result); +struct ssl_chello* ssl_chello_parse(const unsigned char* buff, size_t buff_len, int parse_cipher, enum chello_parse_result* result); void ssl_chello_free(struct ssl_chello* chello); diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp index bb6d57b..2e31215 100644 --- a/platform/src/ssl_stream.cpp +++ b/platform/src/ssl_stream.cpp @@ -122,6 +122,7 @@ struct ssl_mgr unsigned int no_sessticket; unsigned int no_alpn; unsigned int no_cert_verify; + unsigned int no_mirror_client_cipher_suite; CONST_SSL_METHOD * (* sslmethod)(void); //Parameter of SSL_CTX_new int ssl_min_version, ssl_max_version; char ssl_session_context[8]; @@ -187,6 +188,7 @@ struct peek_client_hello_ctx { struct ssl_chello* chello; unsigned char sni_peek_retries; /* max 64 SNI parse retries */ + int parse_client_cipher; struct event * ev; struct event_base * evbase; void * logger; @@ -579,6 +581,7 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section MESA_load_profile_uint_def(ini_profile, section, "no_session_ticket", &(mgr->no_sessticket), 0); MESA_load_profile_uint_def(ini_profile, section, "no_alpn", &(mgr->no_alpn), 0); MESA_load_profile_uint_def(ini_profile, section, "no_cert_verify", &(mgr->no_cert_verify), 0); + MESA_load_profile_uint_def(ini_profile, section, "no_mirror_client_cipher_suite", &(mgr->no_mirror_client_cipher_suite), 0); MESA_load_profile_uint_def(ini_profile, section, "session_cache_slots", &(mgr->cache_slots), 4 * 1024 * 1024); @@ -679,7 +682,7 @@ static void peek_client_hello_cb(evutil_socket_t fd, short what, void * arg) goto failed; } - chello=ssl_chello_parse(buf,n, &chello_status); + chello=ssl_chello_parse(buf, n, ctx->parse_client_cipher, &chello_status); switch(chello_status) { case CHELLO_PARSE_SUCCESS: @@ -739,12 +742,13 @@ failed: return; } -static void ssl_async_peek_client_hello(struct future * f, evutil_socket_t fd, struct event_base * evbase, +static void ssl_async_peek_client_hello(struct future * f, evutil_socket_t fd, int parse_cipher, struct event_base * evbase, void * logger) { struct promise * p = future_to_promise(f); struct peek_client_hello_ctx * ctx = ALLOC(struct peek_client_hello_ctx, 1); ctx->ev = event_new(evbase, fd, EV_READ, peek_client_hello_cb, p); + ctx->parse_client_cipher=parse_cipher; ctx->logger = logger; promise_set_ctx(p, (void *) ctx, peek_client_hello_ctx_free_cb); event_add(ctx->ev, NULL); @@ -1148,7 +1152,7 @@ void ssl_async_upstream_create(struct future * f, struct ssl_mgr * mgr, evutil_s promise_set_ctx(p, ctx, wrap_ssl_connect_server_ctx_free); ctx->f_peek_chello = future_create("peek_sni", peek_chello_on_succ, peek_chello_on_fail, p); - ssl_async_peek_client_hello(ctx->f_peek_chello, fd_downstream, evbase, mgr->logger); + ssl_async_peek_client_hello(ctx->f_peek_chello, fd_downstream, !mgr->no_mirror_client_cipher_suite, evbase, mgr->logger); } static int ossl_session_ticket_key_callback(SSL *ssl_conn, diff --git a/platform/src/ssl_utils.cpp b/platform/src/ssl_utils.cpp index d07a57d..469fa22 100644 --- a/platform/src/ssl_utils.cpp +++ b/platform/src/ssl_utils.cpp @@ -1965,8 +1965,9 @@ static char* parse_cipher_suites(struct cipher_suite* _cipher_suite_list, int n, return cipher_suites_str; } -struct ssl_chello* ssl_chello_parse(const unsigned char* buff, size_t buff_len, enum chello_parse_result* result) +struct ssl_chello* ssl_chello_parse(const unsigned char* buff, size_t buff_len, int parse_cipher, enum chello_parse_result* result) { + int n=0; if(buff == NULL) { *result = CHELLO_PARSE_INVALID_FORMAT; @@ -2101,19 +2102,21 @@ struct ssl_chello* ssl_chello_parse(const unsigned char* buff, size_t buff_len, *result = CHELLO_PARSE_INVALID_FORMAT; return _chello; } - /* - int n = sizeof(cipher_suite_list) / sizeof(struct cipher_suite); - _chello->cipher_suites = parse_cipher_suites(cipher_suite_list, n, buff + pos, len, result); - if(*result != CHELLO_PARSE_SUCCESS) + if(parse_cipher) { - return _chello; + n = sizeof(cipher_suite_list) / sizeof(struct cipher_suite); + _chello->cipher_suites = parse_cipher_suites(cipher_suite_list, n, buff + pos, len, result); + if(*result != CHELLO_PARSE_SUCCESS) + { + return _chello; + } + n = sizeof(cipher_suite_list_tls13) / sizeof(struct cipher_suite); + _chello->cipher_suites_tls13 = parse_cipher_suites(cipher_suite_list_tls13, n, buff + pos, len, result); + if(*result != CHELLO_PARSE_SUCCESS) + { + return _chello; + } } - n = sizeof(cipher_suite_list_tls13) / sizeof(struct cipher_suite); - _chello->cipher_suites_tls13 = parse_cipher_suites(cipher_suite_list_tls13, n, buff + pos, len, result); - if(*result != CHELLO_PARSE_SUCCESS) - { - return _chello; - }*/ pos += len; /* Compression Methods */ diff --git a/platform/test/test_chello_parse.cpp b/platform/test/test_chello_parse.cpp index 7a45add..0844e69 100644 --- a/platform/test/test_chello_parse.cpp +++ b/platform/test/test_chello_parse.cpp @@ -44,7 +44,7 @@ int main() }; size_t buff_len = sizeof(buff) / sizeof(char); enum chello_parse_result result; - struct ssl_chello* chello = ssl_chello_parse(buff, buff_len, &result); + struct ssl_chello* chello = ssl_chello_parse(buff, buff_len, 1, &result); printf("-----------------------------ssl2.0 only parse version --------------------------------\n"); printf("result is %d\n", result); printf("min version is %d, %d\n", chello->min_version.major, chello->min_version.minor); @@ -67,7 +67,7 @@ int main() }; size_t buff1_len = sizeof(buff1) / sizeof(char); enum chello_parse_result result1; - struct ssl_chello* chello1 = ssl_chello_parse(buff1, buff1_len, &result1); + struct ssl_chello* chello1 = ssl_chello_parse(buff1, buff1_len, 1, &result1); printf("--------------------------------ssl3.0, no extensions --------------------------------\n"); printf("result is %d\n", result1); printf("min version is %d, %d\n", chello1->min_version.major, chello1->min_version.minor); @@ -139,7 +139,7 @@ int main() }; size_t buff2_len = sizeof(buff2) / sizeof(char); enum chello_parse_result result2; - struct ssl_chello* chello2 = ssl_chello_parse(buff2, buff2_len, &result2); + struct ssl_chello* chello2 = ssl_chello_parse(buff2, buff2_len, 1, &result2); printf("---------------------------tls1.2 --------------------------------\n"); printf("result is %d\n", result2); printf("min version: %d, %d, ossl format: %x\n", chello2->min_version.major, chello2->min_version.minor, chello2->min_version.ossl_format);