完成tfe中相关功能的开发,回归测试通过。
This commit is contained in:
zhengchao
@@ -21,6 +21,13 @@
|
||||
#include <event2/thread.h>
|
||||
#include <event2/dns.h>
|
||||
|
||||
|
||||
#include <openssl/ssl.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/x509v3.h>
|
||||
|
||||
#include <MESA/MESA_htable.h>
|
||||
#include <MESA/MESA_prof_load.h>
|
||||
|
||||
@@ -30,6 +37,7 @@
|
||||
#include <tfe_proxy.h>
|
||||
#include <key_keeper.h>
|
||||
#include <ssl_sess_cache.h>
|
||||
#include <ssl_trusted_cert_storage.h>
|
||||
#include <ssl_utils.h>
|
||||
#include <platform.h>
|
||||
|
||||
@@ -124,8 +132,7 @@ struct ssl_mgr
|
||||
|
||||
uint8_t ssl_mode_release_buffers;
|
||||
char trust_CA_file[TFE_PATH_MAX];
|
||||
char trust_CA_dir[TFE_PATH_MAX];
|
||||
X509_STORE * trust_CA_store;
|
||||
struct ssl_trusted_cert_storage * trust_CA_store;
|
||||
struct key_keeper * key_keeper;
|
||||
struct event_base * ev_base_gc;
|
||||
struct event * gcev;
|
||||
@@ -462,7 +469,7 @@ void ssl_manager_destroy(struct ssl_mgr * mgr)
|
||||
}
|
||||
if (mgr->trust_CA_store)
|
||||
{
|
||||
X509_STORE_free(mgr->trust_CA_store);
|
||||
ssl_trusted_cert_storage_destroy(mgr->trust_CA_store);
|
||||
mgr->trust_CA_store = NULL;
|
||||
}
|
||||
if(mgr->down_sess_cache)
|
||||
@@ -552,34 +559,17 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
|
||||
TFE_LOG_ERROR(logger, "Certificate Manager initiate failed.");
|
||||
goto error_out;
|
||||
}
|
||||
|
||||
mgr->trust_CA_store = X509_STORE_new();
|
||||
|
||||
MESA_load_profile_string_def(ini_profile, section, "trust_CA_file", mgr->trust_CA_file, sizeof(mgr->trust_CA_file),
|
||||
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem");
|
||||
|
||||
mgr->trust_CA_store = ssl_trusted_cert_storage_create(mgr->trust_CA_file);
|
||||
if (mgr->trust_CA_store == NULL)
|
||||
{
|
||||
TFE_LOG_ERROR(logger, "Failed at creating X509_STORE");
|
||||
goto error_out;
|
||||
}
|
||||
|
||||
ret = X509_STORE_set_default_paths(mgr->trust_CA_store);
|
||||
if (ret == 0)
|
||||
{
|
||||
TFE_LOG_ERROR(logger, "Failed at setting default paths for X509_STORE.");
|
||||
goto error_out;
|
||||
}
|
||||
|
||||
MESA_load_profile_string_def(ini_profile, section, "trust_CA_file", mgr->trust_CA_file, sizeof(mgr->trust_CA_file),
|
||||
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem");
|
||||
MESA_load_profile_string_def(ini_profile, section, "trust_CA_dir", mgr->trust_CA_dir, sizeof(mgr->trust_CA_dir),
|
||||
"");
|
||||
|
||||
ret = X509_STORE_load_locations(mgr->trust_CA_store, strlen(mgr->trust_CA_file) > 0 ? mgr->trust_CA_file : NULL,
|
||||
strlen(mgr->trust_CA_dir) > 0 ? mgr->trust_CA_dir : NULL);
|
||||
|
||||
if (ret == 0)
|
||||
{
|
||||
TFE_LOG_ERROR(logger, "Failed at setting load locations for X509_STORE");
|
||||
goto error_out;
|
||||
}
|
||||
|
||||
memcpy(mgr->ssl_session_context, "mesa-tfe", sizeof(mgr->ssl_session_context));
|
||||
|
||||
@@ -608,39 +598,6 @@ error_out:
|
||||
return NULL;
|
||||
}
|
||||
|
||||
int ssl_conn_verify_cert(X509_STORE * store, const SSL * ssl, char** error_string)
|
||||
{
|
||||
int ret = 0, err_code=0;
|
||||
char *subj=NULL, *issuer=NULL;
|
||||
STACK_OF(X509) * cert_chain = SSL_get_peer_cert_chain(ssl);
|
||||
if (cert_chain == NULL)
|
||||
{
|
||||
// The peer certificate chain is not necessarily available after reusing a session, in which case a NULL pointer is returned.
|
||||
return 1;
|
||||
}
|
||||
X509_STORE_CTX * ctx = X509_STORE_CTX_new();
|
||||
X509 * cert = sk_X509_value(cert_chain, 0);
|
||||
ret = X509_STORE_CTX_init(ctx, store, cert, cert_chain);
|
||||
assert(ret == 1);
|
||||
|
||||
//If a complete chain can be built and validated this function returns 1, otherwise it return zero or negtive code.
|
||||
ret = X509_verify_cert(ctx);
|
||||
if(ret!=1)
|
||||
{
|
||||
err_code=X509_STORE_CTX_get_error(ctx);
|
||||
subj=ssl_x509_subject(cert);
|
||||
issuer=ssl_x509_issuer(cert);
|
||||
asprintf(error_string, "%s : subject - %s issuer - %s"
|
||||
, X509_verify_cert_error_string(err_code)
|
||||
, subj
|
||||
, issuer);
|
||||
free(subj);
|
||||
free(issuer);
|
||||
}
|
||||
X509_STORE_CTX_free(ctx);
|
||||
return (ret == 1);
|
||||
}
|
||||
|
||||
void peek_client_hello_ctx_free(struct peek_client_hello_ctx * _ctx)
|
||||
{
|
||||
event_free(_ctx->ev);
|
||||
@@ -975,7 +932,7 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
|
||||
struct ssl_stream * s_stream = ctx->s_stream;
|
||||
struct ssl_mgr* mgr=s_stream->mgr;
|
||||
SSL_SESSION * ssl_sess = NULL;
|
||||
char* error_string=NULL;
|
||||
char error_string[TFE_STRING_MAX];
|
||||
|
||||
if (events & BEV_EVENT_ERROR)
|
||||
{
|
||||
@@ -1000,7 +957,8 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
|
||||
|
||||
if(!SSL_session_reused(s_stream->ssl))
|
||||
{
|
||||
s_stream->is_peer_cert_verify_passed = ssl_conn_verify_cert(s_stream->mgr->trust_CA_store, s_stream->ssl, &error_string);
|
||||
s_stream->is_peer_cert_verify_passed = ssl_trusted_cert_storage_verify_conn(s_stream->mgr->trust_CA_store,
|
||||
s_stream->ssl, error_string, sizeof(error_string));
|
||||
if(s_stream->is_peer_cert_verify_passed)
|
||||
{
|
||||
//ONLY verified session is cacheable.
|
||||
@@ -1015,7 +973,6 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
|
||||
char* addr_str=tfe_string_addr_create_by_fd(ctx->fd_upstream, CONN_DIR_UPSTREAM);
|
||||
TFE_LOG_INFO(mgr->logger, "Fake Cert %s %s : %s", addr_str, ctx->s_stream->client_hello->sni, error_string);
|
||||
free(addr_str);
|
||||
free(error_string);
|
||||
}
|
||||
}
|
||||
else
|
||||
@@ -1084,7 +1041,7 @@ static void peek_chello_on_fail(enum e_future_error err, const char * what, void
|
||||
return;
|
||||
}
|
||||
|
||||
extern void ssl_async_upstream_create(struct future * f, struct ssl_mgr * mgr, evutil_socket_t fd_upstream,
|
||||
void ssl_async_upstream_create(struct future * f, struct ssl_mgr * mgr, evutil_socket_t fd_upstream,
|
||||
evutil_socket_t fd_downstream, struct event_base * evbase)
|
||||
{
|
||||
struct promise * p = future_to_promise(f);
|
||||
@@ -1535,7 +1492,7 @@ void ask_keyring_on_fail(enum e_future_error error, const char * what, void * us
|
||||
/*
|
||||
* Create a SSL stream for the incoming connection, based on the upstream.
|
||||
*/
|
||||
extern void ssl_async_downstream_create(struct future * f, struct ssl_mgr * mgr, struct ssl_stream * upstream,
|
||||
void ssl_async_downstream_create(struct future * f, struct ssl_mgr * mgr, struct ssl_stream * upstream,
|
||||
evutil_socket_t fd_downstream, int keyring_id, struct event_base * evbase)
|
||||
{
|
||||
|
||||
@@ -1710,3 +1667,26 @@ void ssl_stream_free_and_close_fd(struct ssl_stream * s_stream, struct event_bas
|
||||
sslshutctx = ssl_shutdown_ctx_new(s_stream, evbase);
|
||||
pxy_ssl_shutdown_cb(fd, 0, sslshutctx);
|
||||
}
|
||||
|
||||
int ssl_manager_add_trust_ca(struct ssl_mgr* mgr, const char* pem_file)
|
||||
{
|
||||
return ssl_trusted_cert_storage_add(mgr->trust_CA_store, SSL_X509_OBJ_CERT, pem_file);
|
||||
}
|
||||
int ssl_manager_del_trust_ca(struct ssl_mgr* mgr, const char* pem_file)
|
||||
{
|
||||
return ssl_trusted_cert_storage_del(mgr->trust_CA_store, SSL_X509_OBJ_CERT, pem_file);
|
||||
}
|
||||
int ssl_manager_add_crl(struct ssl_mgr* mgr, const char* pem_file)
|
||||
{
|
||||
return ssl_trusted_cert_storage_add(mgr->trust_CA_store, SSL_X509_OBJ_CRL, pem_file);
|
||||
}
|
||||
int ssl_manager_del_crl(struct ssl_mgr* mgr, const char* pem_file)
|
||||
{
|
||||
return ssl_trusted_cert_storage_del(mgr->trust_CA_store, SSL_X509_OBJ_CRL, pem_file);
|
||||
}
|
||||
void ssl_manager_reset_trust_ca(struct ssl_mgr* mgr)
|
||||
{
|
||||
ssl_trusted_cert_storage_reset(mgr->trust_CA_store);
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user