在ssl policy中处理keyring。
This commit is contained in:
zhengchao
@@ -99,7 +99,11 @@ enum ssl_stream_stat
|
||||
KEY_KEEPER_ASK,
|
||||
KEY_KEEPER_ISSUE,
|
||||
|
||||
|
||||
SSL_SVC_PINNING,
|
||||
SSL_SVC_MAUTH,
|
||||
SSL_SVC_CT_CERT,
|
||||
SSL_SVC_EV_CERT,
|
||||
|
||||
SSL_STAT_MAX
|
||||
};
|
||||
struct session_ticket_key
|
||||
@@ -182,7 +186,7 @@ struct ssl_upstream_parts
|
||||
char block_fake_cert;
|
||||
struct ssl_service_status svc_status;
|
||||
enum ssl_stream_action action;
|
||||
|
||||
int keyring_id;
|
||||
struct ssl_chello * client_hello;
|
||||
int is_server_cert_verify_passed;
|
||||
};
|
||||
@@ -325,6 +329,14 @@ ssl_stream_gc_cb(evutil_socket_t fd, short what, void * arg)
|
||||
mgr->stat_val[KEY_KEEPER_ISSUE]=keeper_stat.new_issue;
|
||||
mgr->stat_val[KEY_KEEPER_CACHE_SIZE]=keeper_stat.cached_num;
|
||||
|
||||
struct ssl_service_cache_statistics svc_stat;
|
||||
memset(&svc_stat, 0, sizeof(svc_stat));
|
||||
ssl_service_cache_stat(mgr->svc_cache, &svc_stat);
|
||||
mgr->stat_val[SSL_SVC_PINNING]=svc_stat.pinning_cli_cnt;
|
||||
mgr->stat_val[SSL_SVC_MAUTH]=svc_stat.mutual_auth_cli_cnt;
|
||||
mgr->stat_val[SSL_SVC_CT_CERT]=svc_stat.ct_srv_cnt;
|
||||
mgr->stat_val[SSL_SVC_EV_CERT]=svc_stat.ev_srv_cnt;
|
||||
|
||||
for(i=0;i<SSL_STAT_MAX;i++)
|
||||
{
|
||||
FS_operate(mgr->fs_handle, mgr->fs_id[i], 0, FS_OP_SET, ATOMIC_READ(&(mgr->stat_val[i])));
|
||||
@@ -376,6 +388,12 @@ void ssl_stat_init(struct ssl_mgr * mgr)
|
||||
spec[KEY_KEEPER_ISSUE]="kyr_new";
|
||||
spec[KEY_KEEPER_CACHE_SIZE]="kyr_cache";
|
||||
|
||||
spec[SSL_SVC_PINNING]="ssl_pinning";
|
||||
spec[SSL_SVC_MAUTH]="ssl_mauth";
|
||||
spec[SSL_SVC_CT_CERT]="ssl_ct_crt";
|
||||
spec[SSL_SVC_EV_CERT]="ssl_ev_crt";
|
||||
|
||||
|
||||
for(i=0;i<SSL_STAT_MAX;i++)
|
||||
{
|
||||
if(spec[i]!=NULL)
|
||||
@@ -1741,13 +1759,13 @@ void ask_keyring_on_fail(enum e_future_error error, const char * what, void * us
|
||||
* Create a SSL stream for the incoming connection, based on the upstream.
|
||||
*/
|
||||
void ssl_async_downstream_create(struct future * f, struct ssl_mgr * mgr, struct ssl_stream * upstream,
|
||||
evutil_socket_t fd_downstream, int keyring_id, unsigned int thread_id)
|
||||
evutil_socket_t fd_downstream, unsigned int thread_id)
|
||||
{
|
||||
|
||||
assert(upstream->dir == CONN_DIR_UPSTREAM);
|
||||
const char* sni=NULL;
|
||||
struct ssl_connect_client_ctx * ctx = ALLOC(struct ssl_connect_client_ctx, 1);
|
||||
ctx->keyring_id = keyring_id;
|
||||
ctx->keyring_id = upstream->up_parts.keyring_id;
|
||||
ctx->ssl_mgr = mgr;
|
||||
ctx->fd_downstream = fd_downstream;
|
||||
ctx->thread_id = thread_id;
|
||||
@@ -1766,7 +1784,7 @@ void ssl_async_downstream_create(struct future * f, struct ssl_mgr * mgr, struct
|
||||
|
||||
ctx->f_ask_keyring = future_create("ask_kyr",ask_keyring_on_succ, ask_keyring_on_fail, p);
|
||||
ctx->is_origin_crt_verify_passed = upstream->up_parts.is_server_cert_verify_passed;
|
||||
key_keeper_async_ask(ctx->f_ask_keyring, mgr->key_keeper, sni, keyring_id, ctx->origin_crt, ctx->is_origin_crt_verify_passed,
|
||||
key_keeper_async_ask(ctx->f_ask_keyring, mgr->key_keeper, sni, ctx->keyring_id, ctx->origin_crt, ctx->is_origin_crt_verify_passed,
|
||||
evbase, dnsbase);
|
||||
return;
|
||||
}
|
||||
@@ -1965,6 +1983,9 @@ int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT
|
||||
case SSL_STREAM_OPT_PROTOCOL_MAX_VERSION:
|
||||
upstream->ssl_max_version=opt_val;
|
||||
break;
|
||||
case SSL_STREAM_OPT_KEYRING_ID:
|
||||
upstream->up_parts.keyring_id=opt_val;
|
||||
break;
|
||||
default:
|
||||
assert(0);
|
||||
return 0;
|
||||
|
||||
Reference in New Issue
Block a user