编写连接业务层的代码。

2019-05-18 18:27:13 +08:00
parent 3f305a9e88
commit 61bc647d1f
8 changed files with 249 additions and 63 deletions
--- a/platform/src/ssl_stream.cpp
+++ b/platform/src/ssl_stream.cpp
@@ -200,7 +200,7 @@ struct ssl_stream
 		struct ssl_upstream_parts up_parts;
 		struct ssl_downstream_parts down_parts;
 	};
-	int ssl_min_ver, ssl_max_ver;
+	int ssl_min_version, ssl_max_version, negotiated_version;
 	const unsigned char* alpn_selected;	//reference to SSL_ALPN_HTTP_2/SSL_ALPN_HTTP_1_1
 	struct ssl_stream* peer;
 	struct __ssl_stream_debug _do_not_use;
@@ -393,7 +393,7 @@ void ssl_stat_init(struct ssl_mgr * mgr)

 	return;
 }
-static SSL * downstream_ssl_create(struct ssl_mgr * mgr, struct keyring * crt, const unsigned char* selected_alpn);
+static SSL * downstream_ssl_create(struct ssl_mgr * mgr, struct keyring * crt, int negotiated_version, const unsigned char* selected_alpn);
 static SSL * upstream_ssl_create(struct ssl_mgr * mgr, struct ssl_stream* s_stream, evutil_socket_t fd);

 static void sslctx_set_opts(SSL_CTX * sslctx, struct ssl_mgr * mgr);
@@ -407,26 +407,34 @@ struct ssl_chello * ssl_peek_result_release_chello(future_result_t * result)
 }

 struct ssl_stream * ssl_stream_new(struct ssl_mgr * mgr, evutil_socket_t fd, enum tfe_conn_dir dir,
-	struct ssl_chello * client_hello, struct keyring * kyr, const unsigned char* selected_alpn)
+	struct ssl_chello * client_hello, struct keyring * kyr, struct ssl_stream * peer)
 {

 	UNUSED int ret = 0;
+	const unsigned char* selected_alpn=peer->alpn_selected;
+
 	struct ssl_stream * s_stream = ALLOC(struct ssl_stream, 1);
 	s_stream->dir = dir;
 	s_stream->mgr = mgr;
 	s_stream->_do_not_use.fd = fd;
 	assert(ret == 0);
+	s_stream->ssl_max_version=mgr->ssl_max_version;
+	s_stream->ssl_min_version=mgr->ssl_min_version;
+	s_stream->peer=peer;
 	switch (dir)
 	{
-		case CONN_DIR_DOWNSTREAM:		
+		case CONN_DIR_DOWNSTREAM:
+			assert(peer!=NULL);
 			ATOMIC_INC(&(s_stream->mgr->stat_val[SSL_DOWN_NEW]));
 			s_stream->down_parts.keyring = kyr;
-			s_stream->ssl = downstream_ssl_create(mgr, kyr, selected_alpn);
+			s_stream->ssl = downstream_ssl_create(mgr, kyr, peer->negotiated_version, selected_alpn);
 			break;
-		case CONN_DIR_UPSTREAM: 
+		case CONN_DIR_UPSTREAM:
 			ATOMIC_INC(&(s_stream->mgr->stat_val[SSL_UP_NEW]));
-			s_stream->up_parts.verify_param.no_verify_expiry_date=1;		
-			s_stream->up_parts.client_hello = client_hello;			
+			s_stream->up_parts.verify_param.no_verify_cn=1;
+			s_stream->up_parts.client_hello = client_hello;
+			s_stream->ssl_min_version=client_hello->min_version.ossl_format;
+			s_stream->ssl_max_version=client_hello->max_version.ossl_format;
 			s_stream->ssl = upstream_ssl_create(mgr, s_stream, fd);
 			break;
 		default: assert(0);
@@ -467,45 +475,7 @@ static void ssl_stream_free(struct ssl_stream * s_stream)
 	return;
 }

-static int sslver_str2num(const char * version_str)
-{
-	int sslversion = -1;

-	assert(OPENSSL_VERSION_NUMBER >= 0x10100000L);
-
-	/*
-	 * Support for SSLv2 and the corresponding SSLv2_method(),
-	 * SSLv2_server_method() and SSLv2_client_method() functions were
-	 * removed in OpenSSL 1.1.0.
-	 */
-	if (!strcmp(version_str, "ssl3"))
-	{
-		sslversion = SSL3_VERSION;
-	}
-	else if (!strcmp(version_str, "tls10") || !strcmp(version_str, "tls1"))
-	{
-		sslversion = TLS1_VERSION;
-	}
-	else if (!strcmp(version_str, "tls11"))
-	{
-		sslversion = TLS1_1_VERSION;
-	}
-	else if (!strcmp(version_str, "tls12"))
-	{
-		sslversion = TLS1_2_VERSION;
-	}
-	else if (!strcmp(version_str, "tls13"))
-	{
-		sslversion = TLS1_3_VERSION;
-	}
-
-	else
-	{
-		sslversion = -1;
-	}
-
-	return sslversion;
-}
 static void log_ssl_master_key(SSL* ssl, int fd, tfe_conn_dir dir, FILE* fp)
 {
 	char* key_str=NULL;
@@ -829,8 +799,8 @@ static SSL * upstream_ssl_create(struct ssl_mgr * mgr, struct ssl_stream* s_stre
 		ret=SSL_CTX_set_cipher_list(sslctx, mgr->default_ciphers);
 	}

-	if (SSL_CTX_set_min_proto_version(sslctx, mgr->ssl_min_version) == 0 ||
-		SSL_CTX_set_max_proto_version(sslctx, mgr->ssl_max_version) == 0)
+	if (SSL_CTX_set_min_proto_version(sslctx, s_stream->ssl_min_version) == 0 ||
+		SSL_CTX_set_max_proto_version(sslctx, s_stream->ssl_max_version) == 0)
 	{
 		SSL_CTX_free(sslctx);
 		return NULL;
@@ -868,7 +838,7 @@ static SSL * upstream_ssl_create(struct ssl_mgr * mgr, struct ssl_stream* s_stre
 		{
 			/* session resuming based on remote endpoint address and port */
 			sess = up_session_get(mgr->up_sess_cache, (struct sockaddr *) &addr, addrlen, chello->sni, 
-								SSL_get_min_proto_version(ssl), SSL_get_max_proto_version(ssl));
+								s_stream->ssl_min_version, s_stream->ssl_max_version);
 			if (sess)
 			{
 				SSL_set_session(ssl, sess);    /* increments sess refcount */
@@ -1171,6 +1141,7 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
 				s_stream->alpn_selected=NULL;
 			}
 		}
+		s_stream->negotiated_version=SSL_version(s_stream->ssl);
 		promise_success(p, ctx);
 	}
 	wrap_ssl_connect_server_ctx_free(ctx);
@@ -1479,7 +1450,7 @@ static int alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
 * Create and set up a new SSL_CTX instance for terminating SSL.
 * Set up all the necessary callbacks, the keyring, the keyring chain and key.
 */
-static SSL * downstream_ssl_create(struct ssl_mgr * mgr, struct keyring * crt, const unsigned char* selected_alpn)
+static SSL * downstream_ssl_create(struct ssl_mgr * mgr, struct keyring * crt, int negotiated_version, const unsigned char* selected_alpn)
 {
 	SSL_CTX * sslctx = SSL_CTX_new(mgr->sslmethod());
 	if (!sslctx) return NULL;
@@ -1490,7 +1461,16 @@ static SSL * downstream_ssl_create(struct ssl_mgr * mgr, struct keyring * crt, c
 	SSL_CTX_set_cipher_list(sslctx, mgr->default_ciphers);

 	//TFE's OPENSSL_VERSION_NUMBER >= 0x10100000L
-	if (mgr->ssl_min_version)
+	if(negotiated_version)
+	{
+		if (SSL_CTX_set_min_proto_version(sslctx, negotiated_version) == 0 ||
+			SSL_CTX_set_max_proto_version(sslctx, negotiated_version) == 0)
+		{
+			SSL_CTX_free(sslctx);
+			return NULL;
+		}
+	}
+	else if(mgr->ssl_min_version)
 	{
 		if (SSL_CTX_set_min_proto_version(sslctx, mgr->ssl_min_version) == 0 ||
 			SSL_CTX_set_max_proto_version(sslctx, mgr->ssl_max_version) == 0)
@@ -1664,6 +1644,7 @@ static void ssl_client_connected_eventcb(struct bufferevent * bev, short events,
 		{
 			log_ssl_master_key(ctx->downstream->ssl, ctx->fd_downstream, CONN_DIR_DOWNSTREAM, mgr->fp_master_key);
 		}
+		ctx->downstream->negotiated_version=SSL_version(ctx->downstream->ssl);
 		promise_success(p, ctx);
 	}
 	ssl_connect_client_ctx_free(ctx);
@@ -1682,10 +1663,8 @@ void ask_keyring_on_succ(void * result, void * user)
 	kyr = key_keeper_release_keyring(result);	//kyr will be freed at ssl downstream closing.
 	
 	clock_gettime(CLOCK_MONOTONIC, &(ctx->start));
-	ctx->downstream = ssl_stream_new(mgr, ctx->fd_downstream, CONN_DIR_DOWNSTREAM,
-										ctx->origin_ssl->up_parts.client_hello, kyr,
-										ctx->origin_ssl?ctx->origin_ssl->alpn_selected:NULL);
-	ctx->downstream->peer=ctx->origin_ssl;
+	ctx->downstream = ssl_stream_new(mgr, ctx->fd_downstream, CONN_DIR_DOWNSTREAM, NULL,
+										kyr, ctx->origin_ssl);
 	ctx->bev_down = bufferevent_openssl_socket_new(evbase, ctx->fd_downstream, ctx->downstream->ssl,
 		BUFFEREVENT_SSL_ACCEPTING, BEV_OPT_DEFER_CALLBACKS | BEV_OPT_THREADSAFE);
 	bufferevent_openssl_set_allow_dirty_shutdown(ctx->bev_down, 1);
@@ -1930,7 +1909,10 @@ int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT
 			upstream->up_parts.block_fake_cert=opt_val;
 			break;
 		case	SSL_STREAM_OPT_PROTOCOL_MIN_VERSION:
+			upstream->ssl_min_version=opt_val;
+			break;
 		case	SSL_STREAM_OPT_PROTOCOL_MAX_VERSION:
+			upstream->ssl_max_version=opt_val;
 			break;
 		default:
 			return 0;