diff --git a/platform/include/internal/cert.h b/platform/include/internal/cert.h index d149811..e392297 100644 --- a/platform/include/internal/cert.h +++ b/platform/include/internal/cert.h @@ -4,15 +4,16 @@ #include #include -struct cert{}; -typedef struct cert cert_t; - +struct cert +{ + EVP_PKEY *key; + X509 *crt; + STACK_OF(X509) * chain; +}; struct cert_mgr; -struct cert_mgr * cert_manager_init(const char * profile); - -void cert_mgr_async_get(struct future * future, struct cert_mgr * mgr, int keyring_id, +struct cert_mgr * cert_mgr_init(const char * profile, const char* section); +struct cert* cert_mgr_query_result_release_cert(future_result_t* result); +void cert_mgr_free_cert(struct cert* cert); +void cert_mgr_async_query(struct future * future, struct cert_mgr * mgr, int keyring_id, X509 * origin_cert, struct event_base * evbase); - -void cert_free(cert_t * cert); - #endif /* !CERT_H */ diff --git a/platform/include/internal/sescache.h b/platform/include/internal/sescache.h deleted file mode 100644 index 1118f67..0000000 --- a/platform/include/internal/sescache.h +++ /dev/null @@ -1,7 +0,0 @@ -#pragma once - -struct sess_cache; -struct sess_cache * session_cache_init(); - -void session_cache_set(struct sess_cache * cache, struct sockaddr * addr, - socklen_t addrlen, const char * sni, SSL_SESSION * session); diff --git a/platform/include/internal/ssl_stream.h b/platform/include/internal/ssl_stream.h index 66fefdd..806822c 100644 --- a/platform/include/internal/ssl_stream.h +++ b/platform/include/internal/ssl_stream.h @@ -1,24 +1,36 @@ #pragma once - #include #include +#include -struct ssl_client_hello + + +struct ssl_stream; + +struct ssl_mgr; +struct ssl_mgr* init_ssl_manager(const char* ini_profile, const char* section); +void destroy_ssl_manager(struct ssl_mgr* mgr); + +struct ssl_chello { + //client hello int version; char* sni; char* cipher_suites; }; - -struct ssl_client_hello* ssl_get_peek_result(future_result_t* result); -void ssl_free_peek_result(struct ssl_client_hello* client_hello); +struct ssl_chello* ssl_peek_result_release_chello(future_result_t* result); +void ssl_chello_free(struct ssl_chello* client_hello); void ssl_async_peek_client_hello(struct future* future, evutil_socket_t fd, struct event_base *evbase); -void ssl_async_connect_origin(struct future* future, const struct ssl_client_hello* client_hello, - evutil_socket_t fd, const char* sni, struct event_base *evbase); -struct ssl_downstream * ssl_downstream_create(); -void ssl_upstream_free(struct ssl_upstream * p); -void ssl_downstream_free(struct ssl_downstream * p); +struct ssl_stream* ssl_upstream_create_result_release_stream(future_result_t* result); +struct bufferevent* ssl_upstream_create_result_release_bev(future_result_t* result); +void ssl_async_upstream_create(struct future* future, struct ssl_mgr* mgr, const struct ssl_chello* chello, evutil_socket_t fd, struct event_base *evbase); + + + +struct ssl_stream * ssl_downstream_create(struct ssl_mgr* mgr, struct ssl_chello* hello, struct cert* crt); +void ssl_stream_free_and_close_fd(struct ssl_stream* stream, struct event_base *evbase, evutil_socket_t fd); + diff --git a/platform/src/cert.cpp b/platform/src/cert.cpp index 93a0a4b..62e5974 100644 --- a/platform/src/cert.cpp +++ b/platform/src/cert.cpp @@ -2,9 +2,20 @@ #include #include +struct cert_mgr +{ + +}; +struct tfe_cert_private +{ + struct cert head; + pthread_mutex_t mutex; + size_t references; +}; + #if 0 /* - * Certificate, including private key and certificate chain. + * Certificate, including private key and cert chain. */ cert_t * @@ -189,7 +200,7 @@ cert_free(cert_t *c) free(c); } -struct cert_mgr* cert_manager_init(const char* profile) +struct cert_mgr* cert_mgr_init(const char* profile) { } diff --git a/platform/src/ssl.cc b/platform/src/ssl.cc index 8720e3f..c8e07f4 100644 --- a/platform/src/ssl.cc +++ b/platform/src/ssl.cc @@ -59,7 +59,7 @@ /* * Workaround for bug in OpenSSL 1.0.0k and 1.0.1e * http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703031 - * http://openssl.6102.n7.nabble.com/NULL-ptr-deref-when-calling-SSL-get-certificate-with-1-0-0k-td43636.html + * http://openssl.6102.n7.nabble.com/NULL-ptr-deref-when-calling-SSL-get-cert-with-1-0-0k-td43636.html */ #if (OPENSSL_VERSION_NUMBER == 0x0090819fL) || \ (OPENSSL_VERSION_NUMBER == 0x100000bfL) || \ @@ -799,7 +799,7 @@ EC_KEY * ssl_ec_by_name(const char *curvename) #endif /* !OPENSSL_NO_EC */ /* - * Add a X509v3 extension to a certificate and handle errors. + * Add a X509v3 extension to a cert and handle errors. * Returns -1 on errors, 0 on success. */ int ssl_x509_v3ext_add(X509V3_CTX *ctx, X509 *crt, char *k, char *v) @@ -820,9 +820,9 @@ int ssl_x509_v3ext_add(X509V3_CTX *ctx, X509 *crt, char *k, char *v) } /* - * Copy a X509v3 extension from one certificate to another. - * If the extension is not present in the original certificate, - * the extension will not be added to the destination certificate. + * Copy a X509v3 extension from one cert to another. + * If the extension is not present in the original cert, + * the extension will not be added to the destination cert. * Returns 1 if ext was copied, 0 if not present in origcrt, -1 on error. */ int ssl_x509_v3ext_copy_by_nid(X509 *crt, X509 *origcrt, int nid) @@ -862,12 +862,12 @@ int ssl_rand(void *p, size_t sz) } /* - * Copy the serial number from src certificate to dst certificate + * Copy the serial number from src cert to dst cert * and modify it by a random offset. * If reading the serial fails for some reason, generate a new - * random serial and store it in the dst certificate. + * random serial and store it in the dst cert. * Using the same serial is not a good idea since some SSL stacks - * check for duplicate certificate serials. + * check for duplicate cert serials. * Returns 0 on success, -1 on error. */ int ssl_x509_serial_copyrand(X509 *dstcrt, X509 *srccrt) @@ -903,9 +903,9 @@ int ssl_x509_serial_copyrand(X509 *dstcrt, X509 *srccrt) } /* - * Create a fake X509v3 certificate, signed by the provided CA, - * based on the original certificate retrieved from the real server. - * The returned certificate is created using X509_new() and thus must + * Create a fake X509v3 cert, signed by the provided CA, + * based on the original cert retrieved from the real server. + * The returned cert is created using X509_new() and thus must * be freed by the caller using X509_free(). * The optional argument extraname is added to subjectAltNames if provided. */ @@ -1011,7 +1011,7 @@ ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, EVP_PKEY *key, } else { /* add extraname to original subjectAltName - * and add it to the new certificate */ + * and add it to the new cert */ gn = GENERAL_NAME_new(); if (!gn) goto errout2; @@ -1127,9 +1127,9 @@ errout: } /* - * Load a X509 certificate chain from a PEM file. - * Returns the first certificate in *crt and all subsequent certificates in - * *chain. If crt is NULL, the first certificate is prepended to *chain + * Load a X509 cert chain from a PEM file. + * Returns the first cert in *crt and all subsequent certificates in + * *chain. If crt is NULL, the first cert is prepended to *chain * instead of returned separately. If *chain is NULL, a new stack of X509* * is created in *chain, else the certs are pushed onto an existing stack. * Returns -1 on error. @@ -1137,7 +1137,7 @@ errout: * * By accessing (SSLCTX*)->extra_certs directly on OpenSSL before 1.0.2, we * depend on OpenSSL internals in this function. OpenSSL 1.0.2 introduced - * the SSL_get0_chain_certs() API for accessing the certificate chain. + * the SSL_get0_chain_certs() API for accessing the cert chain. */ int ssl_x509chain_load(X509 **crt, STACK_OF(X509) **chain, const char *filename) { @@ -1208,8 +1208,8 @@ leave1: } /* - * Use a X509 certificate chain for an SSL context. - * Copies the certificate stack to the SSL_CTX internal data structures + * Use a X509 cert chain for an SSL context. + * Copies the cert stack to the SSL_CTX internal data structures * and increases reference counts accordingly. */ void ssl_x509chain_use(SSL_CTX *sslctx, X509 *crt, STACK_OF(X509) *chain) @@ -1227,7 +1227,7 @@ void ssl_x509chain_use(SSL_CTX *sslctx, X509 *crt, STACK_OF(X509) *chain) } /* - * Load a X509 certificate from a PEM file. + * Load a X509 cert from a PEM file. * Returned X509 must be freed using X509_free() by the caller. * Not thread-safe. */ @@ -1404,7 +1404,7 @@ ssl_x509_subject_cn(X509 *crt, size_t *psz) } /* - * Write the SHA1 fingerprint of certificate to fpr as SSL_X509_FPRSZ (20) + * Write the SHA1 fingerprint of cert to fpr as SSL_X509_FPRSZ (20) * bytes long binary buffer. * Returns -1 on error, 0 on success. */ @@ -1448,7 +1448,7 @@ ssl_dh_refcount_inc(DH *dh) #endif /* !OPENSSL_NO_DH */ /* - * Increment the reference count of an X509 certificate in a thread-safe + * Increment the reference count of an X509 cert in a thread-safe * manner. */ void @@ -1462,9 +1462,9 @@ ssl_key_refcount_inc(EVP_PKEY *key) } /* - * Increment the reference count of an X509 certificate in a thread-safe + * Increment the reference count of an X509 cert in a thread-safe * manner. This differs from X509_dup() in that it does not create new, - * full copy of the certificate, but only increases the reference count. + * full copy of the cert, but only increases the reference count. */ void ssl_x509_refcount_inc(X509 *crt) @@ -1477,7 +1477,7 @@ ssl_x509_refcount_inc(X509 *crt) } /* - * Match a URL/URI hostname against a single certificate DNS name + * Match a URL/URI hostname against a single cert DNS name * using RFC 6125 rules (6.4.3 Checking of Wildcard Certificates): * * 1. The client SHOULD NOT attempt to match a presented identifier in @@ -1553,7 +1553,7 @@ ssl_wildcardify(const char *hostname) } /* - * Match DNS name against certificate subject CN and subjectAltNames DNS names. + * Match DNS name against cert subject CN and subjectAltNames DNS names. * Returns 1 if any name matches, 0 if none matches. */ int @@ -1677,7 +1677,7 @@ char **ssl_x509_names(X509 *crt) } /* - * Returns a printable representation of a certificate's common names found + * Returns a printable representation of a cert's common names found * in the Subject DN CN and subjectAltNames extension, separated by slashes. * Caller must free returned buffer. * Embedded NULL characters in hostnames are replaced with '!'. @@ -1745,7 +1745,7 @@ static char *ssl_ia5string_strdup(ASN1_IA5STRING *ia5) /* * Returns a NULL terminated array of pointers to copies of Authority - * Information Access (AIA) URLs of a given type contained in the certificate. + * Information Access (AIA) URLs of a given type contained in the cert. * Caller must free returned buffer and all pointers within. */ char **ssl_x509_aias(X509 *crt, const int type) @@ -1786,7 +1786,7 @@ char **ssl_x509_aias(X509 *crt, const int type) /* * Returns a NULL terminated array of pointers to copies of Authority - * Information Access (AIA) URLs of type OCSP contained in the certificate. + * Information Access (AIA) URLs of type OCSP contained in the cert. * Caller must free returned buffer and all pointers within. */ char **ssl_x509_ocsps(X509 *crt) @@ -1795,7 +1795,7 @@ char **ssl_x509_ocsps(X509 *crt) } /* - * Check whether the certificate is valid based on current time. + * Check whether the cert is valid based on current time. * Return 1 if valid, 0 otherwise. */ int ssl_x509_is_valid(X509 *crt) @@ -1808,7 +1808,7 @@ int ssl_x509_is_valid(X509 *crt) } /* - * Print X509 certificate data to a newly allocated string. + * Print X509 cert data to a newly allocated string. * Caller must free returned string. * Returns NULL on errors. */ @@ -1838,7 +1838,7 @@ ssl_x509_to_str(X509 *crt) } /* - * Convert X509 certificate to PEM format in a newly allocated string. + * Convert X509 cert to PEM format in a newly allocated string. * Caller must free returned string. * Returns NULL on errors. */ @@ -1939,9 +1939,9 @@ int ssl_is_ocspreq(const unsigned char *buf, size_t sz) * This is needed in order to be able to support SNI and STARTTLS. * * The OpenSSL SNI API only allows to read the indicated server name at the - * time when we have to provide the server certificate. OpenSSL does not + * time when we have to provide the server cert. OpenSSL does not * allow to asynchroniously read the indicated server name, wait for some - * unrelated event to happen, and then later to provide the server certificate + * unrelated event to happen, and then later to provide the server cert * to use and continue the handshake. Therefore we resort to parsing the * server name from the ClientHello manually before OpenSSL gets to work on it. * diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp index 75b2ca8..d29ea7f 100644 --- a/platform/src/ssl_stream.cpp +++ b/platform/src/ssl_stream.cpp @@ -4,6 +4,8 @@ #include #include #include +#include +#include #include #include @@ -26,7 +28,33 @@ #include #include #include - +#include +#define SSL_EX_DATA_IDX_SSLMGR 0 +struct ssl_mgr +{ + uint8_t sslcomp; + uint8_t no_ssl2; + uint8_t no_ssl3; + uint8_t no_tls10; + uint8_t no_tls11; + uint8_t no_tls12; + CONST_SSL_METHOD *(*sslmethod)(void); + int sslversion; + char ssl_session_context[8]; + MESA_htable_handle down_sess_cache; + MESA_htable_handle up_sess_cache; + char* default_ciphers; + DH * dh; + char * ecdhcurve; + char * crlurl; + uint8_t SSL_MODE_RELEASE_BUFFERS; +}; +struct ssl_stream +{ + SSL * ssl; + struct ssl_mgr* ref_mgr; + char* sni; +}; struct peek_client_hello_ctx { @@ -35,6 +63,71 @@ struct peek_client_hello_ctx struct event_base* evbase; }; +struct ssl_connect_origin_ctx +{ + struct bufferevent *bev; + struct ssl_stream* ssl; + struct sockaddr addr; + socklen_t addrlen; +}; + +struct ssl_mgr* init_ssl_manager(const char* ini_profile, const char* section) +{ + struct ssl_mgr* mgr=ALLOC(struct ssl_mgr*, 1); + memcpy(mgr->ssl_session_context,"mesa-tfe",sizeof(mgr->ssl_session_context)); + return mgr; +} +void destroy_ssl_manager(struct ssl_mgr* mgr) +{ + free(mgr); +} +SSL_SESSION* up_session_get(MESA_htable_handle* cache, struct sockaddr * addr, socklen_t addr_len, const char* sni) +{ + +} +void up_session_set(MESA_htable_handle* cache, struct sockaddr * addr, socklen_t addr_len, const char* sni, SSL_SESSION * value) +{ + +} +SSL_SESSION* down_session_get(MESA_htable_handle* cache, unsigned char * id, int idlen) +{ + dynbuf_t *valbuf = (dynbuf_t *)val; + MESA_htable_search_cb(const MESA_htable_handle table, const uchar * key, uint size, hash_cb_fun_t * cb, void * arg, long * cb_ret); + SSL_SESSION *sess; + const unsigned char *p; + + p = (const unsigned char *)valbuf->buf; + sess = d2i_SSL_SESSION(NULL, &p, valbuf->sz); /* increments p */ + if (!sess) + return NULL; + if (!ssl_session_is_valid(sess)) { + SSL_SESSION_free(sess); + return NULL; + } + if (copy) + return sess; + SSL_SESSION_free(sess); + return ((void*)-1); + +} +void down_session_set(MESA_htable_handle* cache, SSL_SESSION* sess) +{ + unsigned int len=0; + const unsigned char* id = SSL_SESSION_get_id(sess, &len); + unsigned char *p=NULL; + size_t asn1sz=0; + + asn1sz = i2d_SSL_SESSION(sess, NULL); + p=ALLOC(char, asn1sz); + i2d_SSL_SESSION(sess, &p); /* updates p */ + int ret=MESA_htable_add(cache, id, len, p); + return; +} +void down_session_del(MESA_htable_handle* cache, SSL_SESSION* sess) +{ + +} + void peek_client_hello_ctx_free(void* ctx) { struct peek_client_hello_ctx * _ctx=(struct peek_client_hello_ctx *)ctx; @@ -45,10 +138,10 @@ void peek_client_hello_ctx_free(void* ctx) free(_ctx); return; } -struct ssl_client_hello* ssl_get_peek_result(future_result_t* result) +struct ssl_chello* ssl_peek_result_release_chello(future_result_t* result) { - struct ssl_client_hello* p=(struct ssl_client_hello* )result, *copy=NULL; - copy=ALLOC(struct ssl_client_hello*,1); + struct ssl_chello* p=(struct ssl_chello* )result, *copy=NULL; + copy=ALLOC(struct ssl_chello*,1); if(p!=NULL) { copy->sni=tfe_strdup(p->sni); @@ -57,7 +150,7 @@ struct ssl_client_hello* ssl_get_peek_result(future_result_t* result) } return copy; } -void ssl_free_peek_result(struct ssl_client_hello* p) +void ssl_free_chello(struct ssl_chello* p) { if(p==NULL) { @@ -75,8 +168,11 @@ void ssl_free_peek_result(struct ssl_client_hello* p) static void peek_client_hello_cb(evutil_socket_t fd, short what, void * arg) { struct promise* promise=(struct promise*)arg; - struct peek_client_hello_ctx* ctx= (struct peek_client_hello_ctx*)promise->ctx; - struct ssl_client_hello *result=NULL; + struct peek_client_hello_ctx* ctx= (struct peek_client_hello_ctx*)promise_get_ctx(promise); + struct ssl_chello *result=NULL; + const char* reason_too_many_retries="too many tries"; + const char* reason_see_no_client_hello="see no client hello"; + const char* reason=NULL; memset(&result, 0, sizeof(result)); char* sni=NULL; unsigned char buf[1024]; @@ -97,44 +193,50 @@ static void peek_client_hello_cb(evutil_socket_t fd, short what, void * arg) } result=ssl_get_peek_result(NULL); //todo: parse version and cipher suites. + //or we should use sni proxy instead? https://github.com/dlundquist/sniproxy/blob/master/src/tls.c rv = ssl_tls_clienthello_parse(buf, n, 0, &chello, &result->sni); - if ((rv == 1) && !chello) + if(rv==0) { - TFE_LOG_ERROR("Peeking did not yield a (truncated) ClientHello message, aborting connection\n"); - goto failed; + promise_dettach_ctx(promise); + promise_success(promise, result); + ssl_free_chello(result); + peek_client_hello_ctx_free(ctx); } - - if ((rv == 1) && chello && (ctx->sni_peek_retries++ < 50)) + else { + if(!chello) + { + TFE_LOG_ERROR("Peeking did not yield a (truncated) ClientHello message, aborting connection\n"); + reason="see no client hello"; + goto failed; + } + + if(ctx->sni_peek_retries++ > 50) + { + TFE_LOG_ERROR("Peek failed due to too many retries\n"); + reason="too many peek retries"; + goto failed; + } /* ssl_tls_clienthello_parse indicates that we - * should retry later when we have more data, and we - * haven't reached the maximum retry count yet. - * Reschedule this event as timeout-only event in - * order to prevent busy looping over the read event. - * Because we only peeked at the pending bytes and - * never actually read them, fd is still ready for - * reading now. We use 25 * 0.2 s = 5 s timeout. */ + * should retry later when we have more data, and we + * haven't reached the maximum retry count yet. + * Reschedule this event as timeout-only event in + * order to prevent busy looping over the read event. + * Because we only peeked at the pending bytes and + * never actually read them, fd is still ready for + * reading now. We use 25 * 0.2 s = 5 s timeout. */ struct timeval retry_delay = {0, 100}; - event_free(ctx->ev); ctx->ev = event_new(ctx->evbase, fd, 0, peek_client_hello_cb, promise); assert(ctx->ev!=NULL); event_add(ctx->ev, &retry_delay); - return; } - - - promise_dettach_ctx(promise); - promise_success(promise, result); - ssl_free_peek_result(result); - peek_client_hello_ctx_free(ctx); return; failed: - promise_failed(promise,FUTURE_ERROR_EXCEPTION,"too many tries"); - peek_client_hello_ctx_free(ctx); promise_dettach_ctx(promise); - ssl_free_peek_result(result); - + promise_failed(promise,FUTURE_ERROR_EXCEPTION,reason); + peek_client_hello_ctx_free(ctx); + ssl_free_chello(result); return; } @@ -151,21 +253,101 @@ void ssl_async_peek_client_hello(struct future* future, evutil_socket_t fd, str return; } +/* + * Create new SSL context for outgoing connections to the original destination. + * If hostname sni is provided, use it for Server Name Indication. + */ -struct ssl_connect_origin_ctx +static SSL* upstream_ssl_create(struct ssl_mgr* mgr, const struct ssl_chello* chello, struct sockaddr* addr, socklen_t addrlen) { - struct bufferevent *bev; - SSL* ssl; + SSL_CTX* sslctx=NULL; + SSL* ssl=NULL; + SSL_SESSION* sess=NULL; + -}; + sslctx = SSL_CTX_new(mgr->sslmethod()); + + pxy_sslctx_setoptions(sslctx, mgr); + +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if (mgr->sslversion) { + if (SSL_CTX_set_min_proto_version(sslctx, chello->version) == 0 || + SSL_CTX_set_max_proto_version(sslctx, chello->version) == 0) { + SSL_CTX_free(sslctx); + return NULL; + } + } +#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ + + SSL_CTX_set_verify(sslctx, SSL_VERIFY_NONE, NULL); + + ssl = SSL_new(sslctx); + SSL_CTX_free(sslctx); /* SSL_new() increments refcount */ + if (!ssl) + { + return NULL; + } +#ifndef OPENSSL_NO_TLSEXT + if (chello->sni) + { + SSL_set_tlsext_host_name(ssl, sni); + } +#endif /* !OPENSSL_NO_TLSEXT */ + +#ifdef SSL_MODE_RELEASE_BUFFERS + /* lower memory footprint for idle connections */ + SSL_set_mode(ssl, SSL_get_mode(ssl) | SSL_MODE_RELEASE_BUFFERS); +#endif /* SSL_MODE_RELEASE_BUFFERS */ + + //Todo: Refactor below session resumption. + /* session resuming based on remote endpoint address and port */ + sess = up_session_get(mgr->up_sess_cache, addr, + addrlen, chello->sni); /* new sess inst */ + if (sess) + { + SSL_set_session(ssl, sess); /* increments sess refcount */ + SSL_SESSION_free(sess); + } + + return ssl; +} + + +void ssl_stream_shutdown(struct bufferevent *bev,struct ssl_stream* ssl) +{ + //TODO: +} void ssl_connect_origin_ctx_free(struct ssl_connect_origin_ctx* ctx) { - ctx->ssl=NULL; - bufferevent_free(ctx->bev); - ctx->bev=NULL; - //Do not free bev and ssl, reserved for user. - free(ctx); + if(ctx->ssl!=NULL) + { + ssl_stream_shutdown(ctx->bev,ctx->ssl); + free(ctx->ssl); + } + if(ctx->bev!=NULL) + { + bufferevent_free(ctx->bev); + ctx->bev=NULL; + } + free(ctx); + return; } +struct ssl_stream* ssl_conn_origin_result_release_stream(future_result_t* result) +{ + struct ssl_connect_origin_ctx* ctx=(struct ssl_connect_origin_ctx* )result; + struct ssl_stream* ret=ctx->ssl; + ctx->ssl=NULL; //giveup ownership + return ret; +} +struct bufferevent* ssl_conn_origin_result_release_bev(future_result_t* result) +{ + struct ssl_connect_origin_ctx* ctx=(struct ssl_connect_origin_ctx* )result; + struct bufferevent * ret=ctx->bev; + ctx->bev=NULL; //giveup ownership + return ret; + +} + /* * Callback for meta events on the up- and downstream connection bufferevents. * Called when EOF has been reached, a connection has been made, and on errors. @@ -173,22 +355,25 @@ void ssl_connect_origin_ctx_free(struct ssl_connect_origin_ctx* ctx) static void ssl_connect_origin_eventcb(struct bufferevent * bev, short events, void * arg) { struct promise* promise=(struct promise*)arg; - struct ssl_connect_origin_ctx* ctx=(struct ssl_connect_origin_ctx*)promise_dettach_ctx(promise); - + struct ssl_connect_origin_ctx* ctx=(struct ssl_connect_origin_ctx*)promise_get_ctx(promise); + SSL_SESSION * to_cached=NULL; struct tfe_stream_private* _stream = (struct tfe_stream_private*)arg; if (events & BEV_EVENT_ERROR) { - promise->f.cb_failed(FUTURE_ERROR_EXCEPTION,"ssl connect failed",promise->f.user); + promise_failed(promise, FUTURE_ERROR_EXCEPTION, "ssl connect failed"); } else { if (events & BEV_EVENT_CONNECTED) - { - promise->f.cb_success(ctx->bev,promise->f.user); + { + bufferevent_setcb(ctx->bev, NULL, NULL, NULL, NULL);//leave a clean bev for on_success + to_cached=SSL_get0_session(ctx->ssl->ssl); + up_session_set(ctx->ssl->ref_mgr->up_sess_cache, &(ctx->addr), ctx->addrlen, ctx->ssl->sni, to_cached); + promise_dettach_ctx(promise); + promise_success(promise, ctx); ctx->bev=NULL; } - else { assert(0); @@ -198,11 +383,19 @@ static void ssl_connect_origin_eventcb(struct bufferevent * bev, short events, v return } -void ssl_async_connect_origin(struct future* future, const struct ssl_client_hello* client_hello, evutil_socket_t fd, const char* sni, struct event_base *evbase) +void ssl_async_connect_origin(struct future* future, struct ssl_mgr* mgr, const struct ssl_chello* chello, evutil_socket_t fd, struct event_base *evbase) { struct promise* p=future_to_promise(future); struct ssl_connect_origin_ctx* ctx=ALLOC(struct ssl_connect_origin_ctx, 1); - ctx->ssl=upstream_ssl_create(opts,sni); + int ret=0; + struct sockaddr addr; + socklen_t addrlen; + ret=getpeername(fd, &(ctx->addr), &(ctx->addrlen)); + assert(ret==0); + ctx->ssl=ALLOC(struct ssl_stream,1); + ctx->ssl->ref_mgr=mgr; + ctx->ssl->sni=tfe_strdup(chello->sni); + ctx->ssl->ssl=upstream_ssl_create(mgr, chello, &(ctx->addr), ctx->addrlen); ctx->bev = bufferevent_openssl_socket_new(evbase, fd, ctx->ssl, BUFFEREVENT_SSL_CONNECTING, BEV_OPT_DEFER_CALLBACKS); promise_set_ctx(p, ctx, ssl_connect_origin_ctx_free); bufferevent_openssl_set_allow_dirty_shutdown(ctx->bev, 1); @@ -211,7 +404,7 @@ void ssl_async_connect_origin(struct future* future, const struct ssl_client_hel } /* - * Dump information on a certificate to the debug log. + * Dump information on a cert to the debug log. */ static void pxy_debug_crt(X509 * crt) { @@ -241,7 +434,7 @@ static void pxy_debug_crt(X509 * crt) } #ifdef DEBUG_CERTIFICATE - /* dump certificate */ + /* dump cert */ log_dbg_print_free(ssl_x509_to_str(crt)); log_dbg_print_free(ssl_x509_to_pem(crt)); #endif /* DEBUG_CERTIFICATE */ @@ -406,35 +599,22 @@ out: * the refcount decrementing. In other words, return 0 if we did not * keep a pointer to the object (which we never do here). */ -#ifdef HAVE_SSLV2 -#define MAYBE_UNUSED -#else /* !HAVE_SSLV2 */ -#define MAYBE_UNUSED UNUSED -#endif /* !HAVE_SSLV2 */ + static int -pxy_ossl_sessnew_cb(MAYBE_UNUSED SSL * ssl, SSL_SESSION * sess) -#undef MAYBE_UNUSED +pxy_ossl_sessnew_cb(SSL * ssl, SSL_SESSION * sess) { -#ifdef DEBUG_SESSION_CACHE - log_dbg_printf("===> OpenSSL new session callback:\n"); - if (sess) { - log_dbg_print_free(ssl_session_to_str(sess)); - } else { - log_dbg_printf("(null)\n"); - } -#endif /* DEBUG_SESSION_CACHE */ + struct ssl_mgr* mgr=(struct ssl_mgr*) SSL_get_ex_data(ssl, SSL_EX_DATA_IDX_SSLMGR, mgr); + #ifdef HAVE_SSLV2 /* Session resumption seems to fail for SSLv2 with protocol * parsing errors, so we disable caching for SSLv2. */ if (SSL_version(ssl) == SSL2_VERSION) { - log_err_printf("Warning: Session resumption denied to SSLv2" - "client.\n"); return 0; } #endif /* HAVE_SSLV2 */ if (sess) { - cachemgr_ssess_set(sess); + down_session_set(mgr->down_sess_cache, sess); } return 0; } @@ -447,46 +627,26 @@ pxy_ossl_sessnew_cb(MAYBE_UNUSED SSL * ssl, SSL_SESSION * sess) static void pxy_ossl_sessremove_cb(UNUSED SSL_CTX * sslctx, SSL_SESSION * sess) { -#ifdef DEBUG_SESSION_CACHE - log_dbg_printf("===> OpenSSL remove session callback:\n"); - if (sess) { - log_dbg_print_free(ssl_session_to_str(sess)); - } else { - log_dbg_printf("(null)\n"); - } -#endif /* DEBUG_SESSION_CACHE */ + struct ssl_mgr* mgr=(struct ssl_mgr*) SSL_get_ex_data(ssl, SSL_EX_DATA_IDX_SSLMGR, mgr); if (sess) { - cachemgr_ssess_del(sess); + down_session_del(mgr->down_sess_cache, sess); } + return; } /* * Called by OpenSSL when a src SSL session is requested by the client. + OPENSSL_VERSION_NUMBER >= 0x10100000L required. */ static SSL_SESSION * -#if OPENSSL_VERSION_NUMBER < 0x10100000L -pxy_ossl_sessget_cb(UNUSED SSL * ssl, unsigned char * id, int idlen, int * copy) -#else /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ pxy_ossl_sessget_cb(UNUSED SSL *ssl, const unsigned char *id, int idlen, int *copy) -#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ { + struct ssl_mgr* mgr=(struct ssl_mgr*) SSL_get_ex_data(ssl, SSL_EX_DATA_IDX_SSLMGR, mgr); SSL_SESSION * sess; -#ifdef DEBUG_SESSION_CACHE - log_dbg_printf("===> OpenSSL get session callback:\n"); -#endif /* DEBUG_SESSION_CACHE */ - *copy = 0; /* SSL should not increment reference count of session */ - sess = (SSL_SESSION *) cachemgr_ssess_get(id, idlen); - -#ifdef DEBUG_SESSION_CACHE - if (sess) { - log_dbg_print_free(ssl_session_to_str(sess)); - } -#endif /* DEBUG_SESSION_CACHE */ - - log_dbg_printf("SSL session cache: %s\n", sess ? "HIT" : "MISS"); + sess = (SSL_SESSION *) down_session_get(mgr->down_sess_cache,id, idlen); return sess; } @@ -494,7 +654,7 @@ pxy_ossl_sessget_cb(UNUSED SSL *ssl, const unsigned char *id, int idlen, int *co * Set SSL_CTX options that are the same for incoming and outgoing SSL_CTX. */ static void -pxy_sslctx_setoptions(SSL_CTX * sslctx, tfe_config opts) +pxy_sslctx_setoptions(SSL_CTX * sslctx, struct ssl_mgr* mgr) { SSL_CTX_set_options(sslctx, SSL_OP_ALL); #ifdef SSL_OP_TLS_ROLLBACK_BUG @@ -512,7 +672,7 @@ pxy_sslctx_setoptions(SSL_CTX * sslctx, tfe_config opts) #ifdef SSL_OP_NO_SSLv2 #ifdef HAVE_SSLV2 - if (opts->no_ssl2) { + if (mgr->no_ssl2) { #endif /* HAVE_SSLV2 */ SSL_CTX_set_options(sslctx, SSL_OP_NO_SSLv2); #ifdef HAVE_SSLV2 @@ -520,131 +680,40 @@ pxy_sslctx_setoptions(SSL_CTX * sslctx, tfe_config opts) #endif /* HAVE_SSLV2 */ #endif /* !SSL_OP_NO_SSLv2 */ #ifdef HAVE_SSLV3 - if (opts->no_ssl3) + if (mgr->no_ssl3) { SSL_CTX_set_options(sslctx, SSL_OP_NO_SSLv3); } #endif /* HAVE_SSLV3 */ #ifdef HAVE_TLSV10 - if (opts->no_tls10) + if (mgr->no_tls10) { SSL_CTX_set_options(sslctx, SSL_OP_NO_TLSv1); } #endif /* HAVE_TLSV10 */ #ifdef HAVE_TLSV11 - if (opts->no_tls11) + if (mgr->no_tls11) { SSL_CTX_set_options(sslctx, SSL_OP_NO_TLSv1_1); } #endif /* HAVE_TLSV11 */ #ifdef HAVE_TLSV12 - if (opts->no_tls12) + if (mgr->no_tls12) { SSL_CTX_set_options(sslctx, SSL_OP_NO_TLSv1_2); } #endif /* HAVE_TLSV12 */ #ifdef SSL_OP_NO_COMPRESSION - if (!opts->sslcomp) + if (!mgr->sslcomp) { SSL_CTX_set_options(sslctx, SSL_OP_NO_COMPRESSION); } #endif /* SSL_OP_NO_COMPRESSION */ - SSL_CTX_set_cipher_list(sslctx, opts->ciphers); + SSL_CTX_set_cipher_list(sslctx, mgr->default_ciphers); } -/* - * Create and set up a new SSL_CTX instance for terminating SSL. - * Set up all the necessary callbacks, the certificate, the cert chain and key. - */ -static SSL_CTX * downstream_sslctx_create( - pxy_conn_ctx_t * ctx, X509 * crt, STACK_OF(X509) * chain, - EVP_PKEY * key, struct tfe_config* opts, void* cb_arg) -{ - SSL_CTX * sslctx = SSL_CTX_new(opts->sslmethod()); - if (!sslctx) - return NULL; - - pxy_sslctx_setoptions(sslctx, opts); - -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - if (opts->sslversion) { - if (SSL_CTX_set_min_proto_version(sslctx, opts->sslversion) == 0 || - SSL_CTX_set_max_proto_version(sslctx, opts->sslversion) == 0) { - SSL_CTX_free(sslctx); - return NULL; - } - } -#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ - - SSL_CTX_sess_set_new_cb(sslctx, pxy_ossl_sessnew_cb); - SSL_CTX_sess_set_remove_cb(sslctx, pxy_ossl_sessremove_cb); - SSL_CTX_sess_set_get_cb(sslctx, pxy_ossl_sessget_cb); - SSL_CTX_set_session_cache_mode(sslctx, SSL_SESS_CACHE_SERVER | - SSL_SESS_CACHE_NO_INTERNAL); -#ifdef USE_SSL_SESSION_ID_CONTEXT - SSL_CTX_set_session_id_context(sslctx, (void *)(&ssl_session_context), - sizeof(ssl_session_context)); -#endif /* USE_SSL_SESSION_ID_CONTEXT */ -#ifndef OPENSSL_NO_TLSEXT - SSL_CTX_set_tlsext_servername_callback(sslctx, pxy_ossl_servername_cb); - SSL_CTX_set_tlsext_servername_arg(sslctx, ctx); -#endif /* !OPENSSL_NO_TLSEXT */ -#ifndef OPENSSL_NO_DH - if (ctx->opts->dh) - { - SSL_CTX_set_tmp_dh(sslctx, ctx->opts->dh); - } - else - { - SSL_CTX_set_tmp_dh_callback(sslctx, ssl_tmp_dh_callback); - } -#endif /* !OPENSSL_NO_DH */ -#ifndef OPENSSL_NO_ECDH - if (ctx->opts->ecdhcurve) - { - EC_KEY * ecdh = ssl_ec_by_name(ctx->opts->ecdhcurve); - SSL_CTX_set_tmp_ecdh(sslctx, ecdh); - EC_KEY_free(ecdh); - } - else - { - EC_KEY * ecdh = ssl_ec_by_name(NULL); - SSL_CTX_set_tmp_ecdh(sslctx, ecdh); - EC_KEY_free(ecdh); - } -#endif /* !OPENSSL_NO_ECDH */ - SSL_CTX_use_certificate(sslctx, crt); - SSL_CTX_use_PrivateKey(sslctx, key); - for (int i = 0; i < sk_X509_num(chain); i++) - { - X509 * c = sk_X509_value(chain, i); - ssl_x509_refcount_inc(c); /* next call consumes a reference */ - SSL_CTX_add_extra_chain_cert(sslctx, c); - } - -#ifdef DEBUG_SESSION_CACHE - if (OPTS_DEBUG(ctx->opts)) { - int mode = SSL_CTX_get_session_cache_mode(sslctx); - log_dbg_printf("SSL session cache mode: %08x\n", mode); - if (mode == SSL_SESS_CACHE_OFF) - log_dbg_printf("SSL_SESS_CACHE_OFF\n"); - if (mode & SSL_SESS_CACHE_CLIENT) - log_dbg_printf("SSL_SESS_CACHE_CLIENT\n"); - if (mode & SSL_SESS_CACHE_SERVER) - log_dbg_printf("SSL_SESS_CACHE_SERVER\n"); - if (mode & SSL_SESS_CACHE_NO_AUTO_CLEAR) - log_dbg_printf("SSL_SESS_CACHE_NO_AUTO_CLEAR\n"); - if (mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP) - log_dbg_printf("SSL_SESS_CACHE_NO_INTERNAL_LOOKUP\n"); - if (mode & SSL_SESS_CACHE_NO_INTERNAL_STORE) - log_dbg_printf("SSL_SESS_CACHE_NO_INTERNAL_STORE\n"); - } -#endif /* DEBUG_SESSION_CACHE */ - - return sslctx; -} static int pxy_srccert_write_to_gendir(pxy_conn_ctx_t * ctx, X509 * crt, int is_orig) @@ -683,22 +752,22 @@ static void pxy_srccert_write(pxy_conn_ctx_t * ctx) if (pxy_srccert_write_to_gendir(ctx, SSL_get_certificate(ctx->src.ssl), 0) == -1) { - log_err_printf("Failed to write used certificate\n"); + log_err_printf("Failed to write used cert\n"); } } if (ctx->opts->certgen_writeall) { if (pxy_srccert_write_to_gendir(ctx, ctx->origcrt, 1) == -1) { - log_err_printf("Failed to write orig certificate\n"); + log_err_printf("Failed to write orig cert\n"); } } } /* * Create new SSL context for the incoming connection, based on the original - * destination SSL certificate. - * Returns NULL if no suitable certificate could be found. + * destination SSL cert. + * Returns NULL if no suitable cert could be found. */ @@ -729,10 +798,10 @@ static SSL * downstream_ssl_create(cert_t * cert, struct tfe_config* opts) /* * OpenSSL servername callback, called when OpenSSL receives a servername * TLS extension in the clientHello. Must switch to a new SSL_CTX with - * a different certificate if we want to replace the server cert here. - * We generate a new certificate if the current one does not match the + * a different cert if we want to replace the server cert here. + * We generate a new cert if the current one does not match the * supplied servername. This should only happen if the original destination - * server supplies a certificate which does not match the server name we + * server supplies a cert which does not match the server name we * indicate to it. */ static int pxy_ossl_servername_cb(SSL * ssl, UNUSED int * al, void * arg) @@ -779,7 +848,7 @@ static int pxy_ossl_servername_cb(SSL * ssl, UNUSED int * al, void * arg) } } - /* generate a new certificate with sn as additional altSubjectName + /* generate a new cert with sn as additional altSubjectName * and replace it both in the current SSL ctx and in the cert cache */ if (!ctx->immutable_cert && !ssl_x509_names_match((sslcrt = SSL_get_certificate(ssl)), sn)) @@ -805,7 +874,7 @@ static int pxy_ossl_servername_cb(SSL * ssl, UNUSED int * al, void * arg) if (OPTS_DEBUG(ctx->opts)) { log_dbg_printf("===> Updated forged server " - "certificate:\n"); + "cert:\n"); pxy_debug_crt(newcrt); } if (WANT_CONNECT_LOG(ctx)) @@ -854,81 +923,7 @@ static int pxy_ossl_servername_cb(SSL * ssl, UNUSED int * al, void * arg) return SSL_TLSEXT_ERR_OK; } -/* - * Create new SSL context for outgoing connections to the original destination. - * If hostname sni is provided, use it for Server Name Indication. - */ -static SSL* upstream_ssl_create(const struct ssl_client_hello* client_hello, int sslversion, const char* sni, MESA_htable_handle* dsess_cache) -{ - SSL_CTX* sslctx=NULL; - SSL* ssl=NULL; - SSL_SESSION* sess=NULL; - - sslctx = SSL_CTX_new(opts->sslmethod()); - - pxy_sslctx_setoptions(sslctx, opts); - -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - if (opts->sslversion) { - if (SSL_CTX_set_min_proto_version(sslctx, opts->sslversion) == 0 || - SSL_CTX_set_max_proto_version(sslctx, opts->sslversion) == 0) { - SSL_CTX_free(sslctx); - return NULL; - } - } -#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ - - SSL_CTX_set_verify(sslctx, SSL_VERIFY_NONE, NULL); - - ssl = SSL_new(sslctx); - SSL_CTX_free(sslctx); /* SSL_new() increments refcount */ - if (!ssl) - { - return NULL; - } -#ifndef OPENSSL_NO_TLSEXT - if (sni) - { - SSL_set_tlsext_host_name(ssl, sni); - } -#endif /* !OPENSSL_NO_TLSEXT */ - -#ifdef SSL_MODE_RELEASE_BUFFERS - /* lower memory footprint for idle connections */ - SSL_set_mode(ssl, SSL_get_mode(ssl) | SSL_MODE_RELEASE_BUFFERS); -#endif /* SSL_MODE_RELEASE_BUFFERS */ - - //Todo: Refactor below session resumption. - /* session resuming based on remote endpoint address and port */ - sess = (SSL_SESSION *) cachemgr_dsess_get((struct sockaddr *) &ctx->addr, - ctx->addrlen, ctx->sni); /* new sess inst */ - if (sess) - { - if (OPTS_DEBUG(opts)) - { - log_dbg_printf("Attempt reuse dst SSL session\n"); - } - SSL_set_session(ssl, sess); /* increments sess refcount */ - SSL_SESSION_free(sess); - } - - return ssl; -} -/* -struct ssl_upstream* ssl_upstream_create(tfe_config*opts, const char* sni) -{ - struct ssl_upstream* upstream=NULL; - SSL* ssl=NULL; - ssl=upstream_ssl_create(opts,sni); - if(ssl==NULL) - { - return NULL; - } - upstream=ALLOC(struct ssl_upstream,1); - upstream->ssl=ssl; - return upstream; -}*/ void ssl_upstream_free(struct ssl_upstream* p) { @@ -936,16 +931,120 @@ void ssl_upstream_free(struct ssl_upstream* p) //todo close ssl with a callback. //SSL_free(ctx->ssl); } -struct ssl_downstream* ssl_downstream_create(void) + +/* + * Create and set up a new SSL_CTX instance for terminating SSL. + * Set up all the necessary callbacks, the cert, the cert chain and key. + */ +static SSL_CTX * down_sslctx_create(struct ssl_mgr* mgr, struct cert* crt) { - struct ssl_downstream* p=NULL; - p=ALLOC(struct ssl_downstream, 1); - return p; + SSL_CTX * sslctx = SSL_CTX_new(mgr->sslmethod()); + if (!sslctx) + return NULL; + + pxy_sslctx_setoptions(sslctx, mgr); + +//TFE's OPENSSL_VERSION_NUMBER >= 0x10100000L + if (mgr->sslversion) { + if (SSL_CTX_set_min_proto_version(sslctx,mgr->sslversion) == 0 || + SSL_CTX_set_max_proto_version(sslctx, mgr->sslversion) == 0) { + SSL_CTX_free(sslctx); + return NULL; + } + } + + SSL_CTX_sess_set_new_cb(sslctx, pxy_ossl_sessnew_cb); + SSL_CTX_sess_set_remove_cb(sslctx, pxy_ossl_sessremove_cb); + SSL_CTX_sess_set_get_cb(sslctx, pxy_ossl_sessget_cb); + SSL_CTX_set_session_cache_mode(sslctx, SSL_SESS_CACHE_SERVER | + SSL_SESS_CACHE_NO_INTERNAL); +#ifdef USE_SSL_SESSION_ID_CONTEXT + SSL_CTX_set_session_id_context(sslctx, (void *)(mgr->ssl_session_context), + sizeof(mgr->ssl_session_context)); +#endif /* USE_SSL_SESSION_ID_CONTEXT */ + +#ifndef OPENSSL_NO_DH + if (mgr->dh) + { + SSL_CTX_set_tmp_dh(sslctx, mgr->dh); + } + else + { + SSL_CTX_set_tmp_dh_callback(sslctx, ssl_tmp_dh_callback); + } +#endif /* !OPENSSL_NO_DH */ +#ifndef OPENSSL_NO_ECDH + if (mgr->ecdhcurve) + { + EC_KEY * ecdh = ssl_ec_by_name(mgr->ecdhcurve); + SSL_CTX_set_tmp_ecdh(sslctx, ecdh); + EC_KEY_free(ecdh); + } + else + { + EC_KEY * ecdh = ssl_ec_by_name(NULL); + SSL_CTX_set_tmp_ecdh(sslctx, ecdh); + EC_KEY_free(ecdh); + } +#endif /* !OPENSSL_NO_ECDH */ + SSL_CTX_use_certificate(sslctx, crt->crt); + SSL_CTX_use_PrivateKey(sslctx, crt->key); + for (int i = 0; i < sk_X509_num(crt->chain); i++) + { + X509 * c = sk_X509_value(crt->chain, i); + ssl_x509_refcount_inc(c); /* next call consumes a reference */ + SSL_CTX_add_extra_chain_cert(sslctx, c); + } + return sslctx; } -void ssl_downstream_free(struct ssl_downstream* p) + + +/* + * Create new SSL context for the incoming connection, based on the original + * destination SSL cert. + * Returns NULL if no suitable cert could be found. + */ +struct ssl_stream * ssl_downstream_create(struct ssl_mgr* mgr, struct ssl_chello* hello, struct cert* crt) { - free(p->sni); - p->sni=NULL; + struct ssl_stream* p=NULL; + if(crt==NULL) + { + goto error_out; + } + p=ALLOC(struct ssl_stream, 1); + p->ref_mgr=mgr; + //could be optimized by store the sslctx. + SSL_CTX * sslctx = down_sslctx_create(mgr,crt); + cert_mgr_free_cert(crt); + if (!sslctx) + { + goto error_out; + } + p->ssl = SSL_new(sslctx); + int ret=SSL_set_ex_data(p->ssl, SSL_EX_DATA_IDX_SSLMGR, mgr); + assert(ret==1); + SSL_CTX_free(sslctx); /* SSL_new() increments refcount */ + if (!p->ssl) + { + goto error_out; + } + if(mgr->SSL_MODE_RELEASE_BUFFERS==1) + { + /* lower memory footprint for idle connections */ + SSL_set_mode( p->ssl, SSL_get_mode(p->ssl) | SSL_MODE_RELEASE_BUFFERS); + } + p->sni=tfe_strdup(hello->sni); + return p; +error_out: + free(p); + return NULL; +} + +void ssl_stream_free_and_close_fd(struct ssl_stream* stream, struct event_base *evbase, evutil_socket_t fd) +{ + free(stream->sni); + stream->sni=NULL; // X509_free(p->fake_cert); } + diff --git a/platform/src/tfe_stream.cpp b/platform/src/tfe_stream.cpp index 0eeb96e..6a3cffa 100644 --- a/platform/src/tfe_stream.cpp +++ b/platform/src/tfe_stream.cpp @@ -40,13 +40,6 @@ */ #define STRORDASH(x) (((x)&&*(x))?(x):"-") -/* - * Context used for all server http_sessions_. - */ -#ifdef USE_SSL_SESSION_ID_CONTEXT -static unsigned long ssl_session_context = 0x31415926; -#endif /* USE_SSL_SESSION_ID_CONTEXT */ - /* forward declaration of libevent callbacks */ static void tfe_stream_readcb(struct bufferevent *, void *); static void tfe_stream_writecb(struct bufferevent *, void *); @@ -435,7 +428,7 @@ void ssl_conn_origin_on_succ(void * result, void * user) _stream->ssl_upstream->orig_cert = SSL_get_peer_certificate(_stream->ssl_upstream->ssl); #if 0 - session_cache_set(_stream->thrmgr_ref->dsess_cache, _stream->ssl_downstream->sni, + up_session_set(_stream->thrmgr_ref->dsess_cache, _stream->ssl_downstream->sni, SSL_get0_session(_stream->ssl_upstream->ssl)); #endif @@ -473,7 +466,7 @@ void peek_client_hello_on_succ(void * result, void * user) _stream->ssl_upstream = ALLOC(struct ssl_upstream, 1); _stream->ssl_upstream->conn_ssl_srv = future_create(ssl_conn_origin_on_succ, ssl_conn_origin_on_fail, _stream); - ssl_async_connect_origin(_stream->ssl_upstream->conn_ssl_srv, _stream->fd_upstream, _stream->ssl_downstream->sni, + ssl_async_upstream_create(_stream->ssl_upstream->conn_ssl_srv, _stream->fd_upstream, _stream->ssl_downstream->sni, _stream->thrmgr_ref->evbase, NULL); } @@ -483,6 +476,7 @@ void peek_client_hello_on_fail(enum e_future_error err, const char * what, void assert(0); } + int ssl_stream_setup(struct tfe_stream_private * _stream) { return 0;