#68 从目录中加载额外的证书和crl。

common/include/tfe_utils.h

@@ -6,6 +6,7 @@
 #pragma once
 #include <MESA/MESA_handle_logger.h>
 #include <time.h>
+#include <dirent.h> //scan_dir
 
 #define TFE_STRING_MAX			2048
 #define	TFE_PATH_MAX			256
@@ -156,5 +157,8 @@ static inline unsigned char* tfe_hexdump(unsigned char *dst, unsigned char *src,
 
     return dst;
 }
+int tfe_scandir(const char *dir, struct dirent ***namelist,
+              int(*filter)(const struct dirent *),
+              int(*compar)(const void *, const void *));
 
 const char * tfe_version();

common/src/tfe_utils.cpp

@@ -73,4 +73,59 @@ char *tfe_thread_safe_ctime(const time_t *tp, char *buf, int len)
              month_str[month], day + 1, hour, min, sec, year);
     return buf;
 }
+//replacement of glibc scandir, to adapt dictator malloc wrap
+int tfe_scandir(const char *dir, struct dirent ***namelist,
+              int(*filter)(const struct dirent *),
+              int(*compar)(const void *, const void *))
+{
+	DIR * od;
+	int n = 0;
+	int ENLARGE_STEP=1024;
+	int DIR_ENT_SIZE=ENLARGE_STEP;
+	struct dirent ** list = NULL;
+	struct dirent * p;
+	struct dirent entry,*result;
+
+	if((dir == NULL) || (namelist == NULL))
+		return -1;
+
+	od = opendir(dir);
+	if(od == NULL)
+		return -1;
+    
+	list = (struct dirent **)malloc(DIR_ENT_SIZE*sizeof(struct dirent *));
+  
+  
+	while(0==readdir_r(od,&entry,&result))
+	{
+		if(result==NULL)
+		{
+			break;
+		}
+		if( filter && !filter(&entry))
+			continue;
+		
+		p = (struct dirent *)malloc(sizeof(struct dirent));
+		memcpy((void *)p,(void *)(&entry),sizeof(struct dirent));
+		list[n] = p;
+
+		n++;
+		if(n >= DIR_ENT_SIZE)
+		{
+			DIR_ENT_SIZE+=ENLARGE_STEP;
+			list=(struct dirent **)realloc((void*)list,DIR_ENT_SIZE*sizeof(struct dirent *));
+
+		}
+	} 
+
+	closedir(od); 
+
+	*namelist = list;
+
+	if(compar)
+	qsort((void *)*namelist,n,sizeof(struct dirent *),compar); 
+
+	return n; 
+   
+}
 

conf/tfe/tfe.conf

@@ -4,9 +4,14 @@ uxdomain=/home/server_unixsocket_file
 ssl_max_version=tls12
 no_session_ticket=0
 log_master_key=1
+trusted_cert_file=./conf/tls-ca-bundle.pem
+trusted_cert_dir=./conf/trusted_storage
 key_log_file=./sslkeylog.log
+no_alpn=1
 
 [key_keeper]
+#Mode: debug - generate cert with ca_path, normal - generate cert with cert store
+#mode = normal
 mode = debug
 cert_store_host=192.168.11.100
 cert_store_port=9991
@@ -17,8 +22,9 @@ untrusted_ca_path=conf/mesalab-ca-untrust.pem
 passthrough_all_tcp=0
 
 [tcp]
-so_keepalive=1
+so_keepalive=0
 tcp_keepcnt=8
 tcp_keepintvl=15
 tcp_keepidle=30
 tcp_user_timeout=30
+

conf/tfe/trusted_storage/DigiCertSHA2SecureServerCA.pem

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
+QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg
+U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83
+nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd
+KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f
+/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX
+kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0
+/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C
+AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY
+aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6
+Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1
+oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD
+QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
+d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh
+xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB
+CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl
+5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA
+8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC
+2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit
+c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0
+j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
+-----END CERTIFICATE-----

platform/include/internal/ssl_trusted_cert_storage.h

@@ -8,7 +8,7 @@ enum ssl_X509_obj_type
 };
 
 struct ssl_trusted_cert_storage;
-struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem_bundle);
+struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem_bundle, const char* pem_dir);
 void ssl_trusted_cert_storage_destroy(struct ssl_trusted_cert_storage* storage);
 
 int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storage, const SSL * ssl, char* reason, size_t n_reason);

platform/src/ssl_stream.cpp

@@ -132,7 +132,9 @@ struct ssl_mgr
 	char * crl_url;
 
 	uint8_t ssl_mode_release_buffers;
-	char trust_CA_file[TFE_PATH_MAX];
+	char trusted_cert_file[TFE_PATH_MAX];
+	char trusted_cert_dir[TFE_PATH_MAX];
+
 	char crl_file[TFE_PATH_MAX];
 
 	struct ssl_trusted_cert_storage * trust_CA_store;
@@ -565,20 +567,17 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
 		goto error_out;
 	}
 	
-	MESA_load_profile_string_def(ini_profile, section, "trust_CA_file", mgr->trust_CA_file, sizeof(mgr->trust_CA_file),
+	MESA_load_profile_string_def(ini_profile, section, "trusted_cert_file", mgr->trusted_cert_file, sizeof(mgr->trusted_cert_file),
 		"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem");
 	
-	mgr->trust_CA_store = ssl_trusted_cert_storage_create(mgr->trust_CA_file);
+	MESA_load_profile_string_def(ini_profile, section, "trusted_cert_dir", mgr->trusted_cert_dir, sizeof(mgr->trusted_cert_dir),
+		"./conf/trusted_storage");
+	mgr->trust_CA_store = ssl_trusted_cert_storage_create(mgr->trusted_cert_file, mgr->trusted_cert_dir);
 	if (mgr->trust_CA_store == NULL)
 	{
 		TFE_LOG_ERROR(logger, "Failed at creating X509_STORE");
 		goto error_out;
 	}
-	MESA_load_profile_string_def(ini_profile, section, "crl_file", mgr->crl_file, sizeof(mgr->crl_file), "");
-	if(strlen(mgr->crl_file)>0)
-	{
-		ssl_trusted_cert_storage_add(mgr->trust_CA_store, SSL_X509_OBJ_CRL, mgr->crl_file);
-	}
 
 	memcpy(mgr->ssl_session_context, "mesa-tfe", sizeof(mgr->ssl_session_context));
 
@@ -941,23 +940,27 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
 	struct ssl_stream * s_stream = ctx->s_stream;
 	struct ssl_mgr* mgr=s_stream->mgr;
 	SSL_SESSION * ssl_sess = NULL;
-	char error_string[TFE_STRING_MAX];
+	char error_str[TFE_STRING_MAX];
+	const char* sni=s_stream->client_hello->sni?s_stream->client_hello->sni:"null";
 
 	if (events & BEV_EVENT_ERROR)
 	{
 		ATOMIC_INC(&(ctx->mgr->stat_val[SSL_UP_ERR]));
 		ssl_stream_log_error(bev, CONN_DIR_UPSTREAM, ctx->mgr->logger);
-		promise_failed(p, FUTURE_ERROR_EXCEPTION, "connect to original server failed.");
+		snprintf(error_str, sizeof(error_str), "connect to original server failed : sni=%s", sni);
+		promise_failed(p, FUTURE_ERROR_EXCEPTION, error_str);
 	}
 	else if(events & BEV_EVENT_EOF)
 	{		
-		ATOMIC_INC(&(ctx->mgr->stat_val[SSL_UP_ERR]));
+		ATOMIC_INC(&(ctx->mgr->stat_val[SSL_UP_ERR]));		
-		promise_failed(p, FUTURE_ERROR_EXCEPTION, "original server closed.");
+		snprintf(error_str, sizeof(error_str), "original server closed : sni=%s", sni);
+		promise_failed(p, FUTURE_ERROR_EXCEPTION, error_str);
 	}
 	else if(events & BEV_EVENT_TIMEOUT)
 	{
-		ATOMIC_INC(&(ctx->mgr->stat_val[SSL_UP_ERR]));
+		ATOMIC_INC(&(ctx->mgr->stat_val[SSL_UP_ERR]));		
-		promise_failed(p, FUTURE_ERROR_TIMEOUT, NULL);
+		snprintf(error_str, sizeof(error_str), "timeout : sni=%s", sni);
+		promise_failed(p, FUTURE_ERROR_TIMEOUT, error_str);
 	}
 	else if(events & BEV_EVENT_CONNECTED)
 	{		
@@ -967,7 +970,7 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
 		if(!SSL_session_reused(s_stream->ssl))
 		{
 			s_stream->is_peer_cert_verify_passed = ssl_trusted_cert_storage_verify_conn(s_stream->mgr->trust_CA_store, 
-													s_stream->ssl, error_string, sizeof(error_string));
+													s_stream->ssl, error_str, sizeof(error_str));
 			if(s_stream->is_peer_cert_verify_passed)
 			{
 				//ONLY verified session is cacheable.
@@ -980,7 +983,7 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
 			{
 				ATOMIC_INC(&(mgr->stat_val[SSL_FAKE_CRT]));
 				char* addr_str=tfe_string_addr_create_by_fd(ctx->fd_upstream, CONN_DIR_UPSTREAM);
-				TFE_LOG_INFO(mgr->logger, "Fake Cert %s %s : %s", addr_str, ctx->s_stream->client_hello->sni, error_string);
+				TFE_LOG_INFO(mgr->logger, "Fake Cert %s %s : %s", addr_str, ctx->s_stream->client_hello->sni, error_str);
 				free(addr_str);
 			}
 		}
@@ -1430,22 +1433,26 @@ static void ssl_client_connected_eventcb(struct bufferevent * bev, short events,
 	struct ssl_stream * s_stream = ctx->downstream;
 	struct ssl_mgr* mgr=s_stream->mgr;
 	SSL_SESSION * ssl_sess = NULL;
-
+	const char* sni=ctx->origin_ssl->client_hello->sni?ctx->origin_ssl->client_hello->sni:"null";
+	char error_str[TFE_STRING_MAX]={0};
 	if (events & BEV_EVENT_ERROR)
 	{
 		ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_ERR]));
 		ssl_stream_log_error(bev, CONN_DIR_DOWNSTREAM, mgr->logger);
-		promise_failed(p, FUTURE_ERROR_EXCEPTION, "connect to client failed.");
+		snprintf(error_str, sizeof(error_str), "connect to client failed : sni=%s", sni);
+		promise_failed(p, FUTURE_ERROR_EXCEPTION, error_str);
 	}
 	else if(events & BEV_EVENT_EOF)
 	{		
-		ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_ERR]));
+		ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_ERR]));		
-		promise_failed(p, FUTURE_ERROR_EXCEPTION, "client side closed.");
+		snprintf(error_str, sizeof(error_str), "client side closed : sni=%s", sni);
+		promise_failed(p, FUTURE_ERROR_EXCEPTION, error_str);
 	}
 	else if(events & BEV_EVENT_TIMEOUT)
 	{
 		ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_ERR]));
-		promise_failed(p, FUTURE_ERROR_TIMEOUT, NULL);
+		snprintf(error_str, sizeof(error_str), "timeout : sni=%s", sni);
+		promise_failed(p, FUTURE_ERROR_TIMEOUT, error_str);
 	}
 	else if(events & BEV_EVENT_CONNECTED)
 	{		

platform/src/ssl_trusted_cert_storage.cpp

@@ -26,15 +26,79 @@ static void free_ssl_x509_obj(void* data)
 }
 struct ssl_trusted_cert_storage
 {
-	char* pem_bundle;
+	char* pem_bundle, *pem_dir;
     MESA_htable_handle hash_table;
 	pthread_rwlock_t rwlock;
 	X509_STORE* effective_store;
 };
-static X509_STORE* _X509_store_create(const char* pem_bundle)
+ static int _X509_add_cert_or_crl_add(X509_STORE* store,  enum ssl_X509_obj_type type, const char* filename)
+ {
+	 int ret=0;
+	 BIO *bio=NULL;
+	 X509* x=NULL;
+	 X509_CRL* x_crl=NULL;
+	 int error;
+	 
+	 bio=BIO_new_file(filename, "r");
+	 if(bio==NULL)
+	 {
+		 return -1;
+	 }
+	 ret=0;
+	 if(type==SSL_X509_OBJ_CERT)
+	 {
+		 while(NULL!=(x=PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL)))
+		 {
+			 ret=X509_STORE_add_cert(store, x);
+			 if(ret==0)
+			 {
+				 X509_free(x);
+				 break;
+			 }
+		 }
+	 }
+	 else if(type==SSL_X509_OBJ_CRL)
+	 {
+		 while(NULL!=(x_crl=PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL)))
+		 {
+			 ret=X509_STORE_add_crl(store, x_crl);
+			 if(ret==0)
+			 {
+				  X509_CRL_free(x_crl);
+				  break;
+			 }		 
+		 }
+	 }
+	 if(ret==0)
+	 {
+		 BIO_free(bio);
+		 return -1;
+	 }
+	 BIO_free(bio);
+	 return 1;
+ }
+
+ static int filter_pem_fn(const struct dirent * ent)
+ {
+ 	const char* fn_suffix=".pem";
+ 	if(strlen(ent->d_name)< strlen(fn_suffix))
+	{
+		return 0;
+	}
+	if(0!=strcmp(ent->d_name+strlen(ent->d_name)-strlen(fn_suffix), fn_suffix))
+	{
+		return 0;
+	}
+	return 1;
+ }
+
+static X509_STORE* _X509_store_create(const char* pem_bundle, const char* pem_dir)
 {
-	int ret=0;
+	int ret=0, n=0, i=0;
+	
+	struct dirent **namelist;
 	X509_STORE* store=X509_STORE_new();
+	char path[TFE_STRING_MAX]={0};
 	if (store == NULL)
 	{
 		return NULL;
@@ -55,6 +119,24 @@ static X509_STORE* _X509_store_create(const char* pem_bundle)
 	X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
 	X509_STORE_set1_param(store, param);
 	X509_VERIFY_PARAM_free(param);
+
+	n=tfe_scandir(pem_dir, &namelist, NULL, (int (*)(const void*, const void*))alphasort);
+	
+	for(i=0;i<n;i++)
+	{
+		snprintf(path, sizeof(path), "%s/%s",pem_dir, namelist[i]->d_name);
+		if(0==strcasecmp(namelist[i]->d_name+strlen(namelist[i]->d_name)-strlen(".pem"), ".pem"))
+		{
+			_X509_add_cert_or_crl_add(store, SSL_X509_OBJ_CERT, path);
+		}
+		else if(0==strcasecmp(namelist[i]->d_name+strlen(namelist[i]->d_name)-strlen(".crl"), ".crl"))
+		{
+			_X509_add_cert_or_crl_add(store, SSL_X509_OBJ_CRL, path);
+		}
+		free(namelist[i]);
+	}
+	free(namelist);
+
 	return store;
 }
 static MESA_htable_handle _create_mesa_htable(void)
@@ -76,18 +158,18 @@ static MESA_htable_handle _create_mesa_htable(void)
 	ret = MESA_htable_mature(htable);
 	return htable;
 }
-struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem_bundle)
+struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem_bundle, const char* pem_dir)
 {
 	int ret=0;
 	struct ssl_trusted_cert_storage* storage=ALLOC(struct ssl_trusted_cert_storage, 1);
-	storage->effective_store=_X509_store_create(pem_bundle);
+	storage->effective_store=_X509_store_create(pem_bundle, pem_dir);
 	if (storage->effective_store == NULL)
 	{
 		return NULL;
 	}
 
 	storage->pem_bundle=tfe_strdup(pem_bundle);
-	
+	storage->pem_dir=tfe_strdup(pem_dir);
 	storage->hash_table=_create_mesa_htable();
 	pthread_rwlock_init(&(storage->rwlock), NULL);
 	
@@ -100,52 +182,7 @@ void ssl_trusted_cert_storage_destroy(struct ssl_trusted_cert_storage* storage)
 	return;
 }
 
-static int _X509_add_cert_or_crl_add(X509_STORE* store,  enum ssl_X509_obj_type type, const char* filename)
+
-{
-	int ret=0;
-	BIO *bio=NULL;
-	X509* x=NULL;
-	X509_CRL* x_crl=NULL;
-	int error;
-	
-	bio=BIO_new_file(filename, "r");
-	if(bio==NULL)
-	{
-		return -1;
-	}
-	ret=0;
-	if(type==SSL_X509_OBJ_CERT)
-	{
-		while(NULL!=(x=PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL)))
-		{
-			ret=X509_STORE_add_cert(store, x);
-			if(ret==0)
-			{
-				X509_free(x);
-				break;
-			}
-		}
-	}
-	else if(type==SSL_X509_OBJ_CRL)
-	{
-		while(NULL!=(x_crl=PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL)))
-		{
-			ret=X509_STORE_add_crl(store, x_crl);
-			if(ret==0)
-			{
-				 X509_CRL_free(x_crl);
-				 break;
-			}		
-		}
-	}
-	if(ret==0)
-	{
-		BIO_free(bio);
-		return -1;
-	}
-	BIO_free(bio);
-	return 1;
-}
 int ssl_trusted_cert_storage_add(struct ssl_trusted_cert_storage* storage, enum ssl_X509_obj_type type, const char* filename)
 {
 
@@ -198,7 +235,7 @@ int ssl_trusted_cert_storage_del(struct ssl_trusted_cert_storage* storage, enum
 		ret=-1;
 		goto error_out;
 	}
-	temp_store=_X509_store_create(storage->pem_bundle);
+	temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir);
 	MESA_htable_iterate(storage->hash_table, cert_storage_htable_traverse_cb, temp_store);
 	X509_STORE_free(storage->effective_store);
 	storage->effective_store=temp_store;
@@ -215,7 +252,7 @@ void ssl_trusted_cert_storage_reset(struct ssl_trusted_cert_storage* storage)
 	MESA_htable_destroy(storage->hash_table, NULL);
 	
 	storage->hash_table=_create_mesa_htable();
-	temp_store=_X509_store_create(storage->pem_bundle);
+	temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir);
 
 	pthread_rwlock_wrlock(&(storage->rwlock));
 	X509_STORE_free(storage->effective_store);

plugin/business/pangu-http/src/pangu_web_cache.cpp

@@ -329,7 +329,7 @@ void cached_meta_set(struct cached_meta* meta, enum CACHE_RESULT_TYPE type, cons
 			break;
 		case RESULT_TYPE_USERTAG:
 			meta->last_modified=read_http1_hdr(data_frag, "Last-Modified");
-			if(0==strcasecmp(meta->last_modified, "Thu, 01 Jan 1970 00:00:00 GMT"))
+			if(meta->last_modified!=NULL && 0==strcasecmp(meta->last_modified, "Thu, 01 Jan 1970 00:00:00 GMT"))
 			{
 				FREE(&(meta->last_modified));
 			}
@@ -704,7 +704,6 @@ void web_cache_update(struct cache_update_context* ctx, const unsigned char * bo
 }
 void web_cache_update_end(struct cache_update_context* ctx)
 {
-	fprintf(stderr, "------- web_cache_update_end , %p\n", ctx);
 
 	tango_cache_update_end(ctx->write_ctx);
 	ATOMIC_DEC(&(ctx->ref_cache_handle->stat_val[STAT_CACHE_UPLOADING]));