From 6b197e33479f635da8dd3d406d1b254bc6e682ba Mon Sep 17 00:00:00 2001
From: zhengchao <zhengchao@iie.ac.cn>
Date: Fri, 24 May 2019 11:26:41 +0800
Subject: [PATCH] =?UTF-8?q?=E8=AF=81=E4=B9=A6=E6=A0=A1=E9=AA=8C=E9=80=89?=
 =?UTF-8?q?=E9=A1=B9=E5=8F=8A=E6=A0=A1=E9=AA=8C=E5=A4=B1=E8=B4=A5=E5=8A=A8?=
 =?UTF-8?q?=E4=BD=9C=E8=87=AA=E6=B5=8B=E9=80=9A=E8=BF=87=E3=80=82?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 platform/src/ssl_stream.cpp                   | 24 +++++++++----------
 plugin/business/ssl-policy/src/ssl_policy.cpp |  6 ++---
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp
index 8f47246..4c40d72 100644
--- a/platform/src/ssl_stream.cpp
+++ b/platform/src/ssl_stream.cpp
@@ -1107,7 +1107,7 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
 		sslerr=ssl_stream_log_error(bev, CONN_DIR_UPSTREAM, ctx->mgr);
 		if(sslerr)
 		{
-			s_stream->up_parts.svc_status.has_protocol_errors=1;			
+			s_upstream->svc_status.has_protocol_errors=1;			
 			ssl_service_cache_write(mgr->svc_cache, s_stream->up_parts.client_hello, &(s_stream->up_parts.svc_status));
 		}
 		snprintf(error_str, sizeof(error_str), "connect to original server failed : sni=%s", sni);
@@ -1143,29 +1143,29 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
 		{
 			if(mgr->no_cert_verify)
 			{
-				s_stream->up_parts.is_server_cert_verify_passed=1;
+				s_upstream->is_server_cert_verify_passed=1;
 			}
 			else
 			{				
-				s_stream->up_parts.is_server_cert_verify_passed = ssl_trusted_cert_storage_verify_conn(s_stream->mgr->trust_CA_store, 
+				s_upstream->is_server_cert_verify_passed = ssl_trusted_cert_storage_verify_conn(s_stream->mgr->trust_CA_store, 
 													s_stream->ssl, s_stream->up_parts.client_hello->sni, &(s_stream->up_parts.verify_param),
 													error_str, sizeof(error_str), &(s_stream->up_parts.verify_result));
-				s_stream->up_parts.svc_status.is_ct=s_stream->up_parts.verify_result.is_ct;
-				s_stream->up_parts.svc_status.is_ev=s_stream->up_parts.verify_result.is_ev;
-				ssl_service_cache_write(mgr->svc_cache, s_stream->up_parts.client_hello, &(s_stream->up_parts.svc_status));
+				s_upstream->svc_status.is_ct=s_upstream->verify_result.is_ct;
+				s_upstream->svc_status.is_ev=s_upstream->verify_result.is_ev;
+				ssl_service_cache_write(mgr->svc_cache, s_upstream->client_hello, &(s_upstream->svc_status));
 				TFE_LOG_DEBUG(mgr->logger, "SNI: %s hostmatch:%d, ct:%d, ev:%d",
 											s_upstream->client_hello->sni,
-											s_stream->up_parts.verify_result.is_hostmatched,
-											s_stream->up_parts.verify_result.is_ct,
-											s_stream->up_parts.verify_result.is_ev);
-				if((!s_stream->up_parts.is_server_cert_verify_passed || !s_stream->up_parts.verify_result.is_hostmatched) && s_stream->up_parts.block_fake_cert)
+											s_upstream->verify_result.is_hostmatched,
+											s_upstream->verify_result.is_ct,
+											s_upstream->verify_result.is_ev);
+				if((!s_upstream->is_server_cert_verify_passed || !s_upstream->verify_result.is_hostmatched) && s_upstream->block_fake_cert)
 				{
 					s_stream->up_parts.action=SSL_ACTION_SHUTDOWN;
 				}
 			}
-			if(s_stream->up_parts.is_server_cert_verify_passed)
+			if(s_upstream->is_server_cert_verify_passed)
 			{
-				if(!mgr->no_sesscache)
+				if(!mgr->no_sesscache && s_stream->up_parts.action==SSL_ACTION_INTERCEPT)
 				{
 					//ONLY verified session is cacheable.
 					//The reference count of the SSL_SESSION is not incremented, so no need to free.
diff --git a/plugin/business/ssl-policy/src/ssl_policy.cpp b/plugin/business/ssl-policy/src/ssl_policy.cpp
index 33dfb1c..00af01e 100644
--- a/plugin/business/ssl-policy/src/ssl_policy.cpp
+++ b/plugin/business/ssl-policy/src/ssl_policy.cpp
@@ -107,7 +107,7 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
 		item=cJSON_GetObjectItem(cert_verify, "fail_method");
 		if(item && item->type==cJSON_String)
 		{
-			if(0==strcasecmp(item->string, "Fail-Close"))
+			if(0==strcasecmp(item->valuestring, "Fail-Close"))
 			{
 				param->block_fake_cert=1;
 			}
@@ -121,9 +121,9 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
 		if(!param->mirror_client_version)
 		{
 			item=cJSON_GetObjectItem(ssl_ver, "min");	
-			if(item && item->type==cJSON_String) param->ssl_min_version=sslver_str2num(item->string);
+			if(item && item->type==cJSON_String) param->ssl_min_version=sslver_str2num(item->valuestring);
 			item=cJSON_GetObjectItem(ssl_ver, "max");	
-			if(item && item->type==cJSON_String) param->ssl_max_version=sslver_str2num(item->string);
+			if(item && item->type==cJSON_String) param->ssl_max_version=sslver_str2num(item->valuestring);
 		}
 	}
 	*ad=param;