修复ssl session缓存中对openssl的不正确使用。
This commit is contained in:
zhengchao
@@ -27,3 +27,5 @@ struct bufferevent * ssl_downstream_create_result_release_bev(future_result_t *
|
||||
void ssl_async_downstream_create(struct future * f, struct ssl_mgr * mgr, struct ssl_stream * upstream,
|
||||
evutil_socket_t fd_downstream, int keyring_id, struct event_base * evbase);
|
||||
void ssl_stream_free_and_close_fd(struct ssl_stream * stream, struct event_base * evbase, evutil_socket_t fd);
|
||||
void ssl_stream_log_error(struct bufferevent * bev, enum tfe_conn_dir dir, void* logger);
|
||||
|
||||
|
||||
@@ -111,7 +111,6 @@ static void __signal_handler_cb(evutil_socket_t fd, short what, void * arg)
|
||||
{
|
||||
case SIGTERM:
|
||||
case SIGQUIT:
|
||||
case SIGINT:
|
||||
case SIGHUP:
|
||||
break;
|
||||
case SIGUSR1:
|
||||
@@ -127,9 +126,11 @@ static void __signal_handler_cb(evutil_socket_t fd, short what, void * arg)
|
||||
|
||||
static void __gc_handler_cb(evutil_socket_t fd, short what, void * arg)
|
||||
{
|
||||
tfe_proxy * ctx = (tfe_proxy *) arg;
|
||||
/* tfe_proxy * ctx = (tfe_proxy *) arg;
|
||||
(void)fd;
|
||||
(void)what;
|
||||
*/
|
||||
return;
|
||||
}
|
||||
|
||||
static void * __thread_ctx_entry(void * arg)
|
||||
@@ -166,7 +167,7 @@ struct tfe_thread_ctx * __thread_ctx_create(struct tfe_proxy * proxy, unsigned i
|
||||
int ret = pthread_create(&__thread_ctx->thr, NULL, __thread_ctx_entry, (void *)__thread_ctx);
|
||||
if (unlikely(ret < 0))
|
||||
{
|
||||
TFE_LOG_ERROR(proxy->logger, "Failed at pthread_create() for thread %d: %s", strerror(errno));
|
||||
TFE_LOG_ERROR(proxy->logger, "Failed at pthread_create() for thread %d: %s",errno, strerror(errno));
|
||||
goto __errout;
|
||||
}
|
||||
|
||||
@@ -229,6 +230,13 @@ int main(int argc, char *argv[])
|
||||
g_default_proxy->kni_acceptor_handler = kni_acceptor_init(g_default_proxy, main_profile, g_default_logger);
|
||||
CHECK_OR_EXIT(g_default_proxy->kni_acceptor_handler, "Failed at init KNI acceptor. Exit. ");
|
||||
|
||||
for (size_t i = 0; i < (sizeof(signals) / sizeof(int)); i++)
|
||||
{
|
||||
g_default_proxy->sev[i] = evsignal_new(g_default_proxy->evbase, signals[i], __signal_handler_cb, g_default_proxy);
|
||||
CHECK_OR_EXIT( g_default_proxy->sev[i], "Failed at create signal event. Exit.");
|
||||
evsignal_add(g_default_proxy->sev[i], NULL);
|
||||
}
|
||||
|
||||
struct timeval gc_delay = {60, 0};
|
||||
evtimer_add(g_default_proxy->gcev , &gc_delay);
|
||||
|
||||
|
||||
@@ -7,11 +7,11 @@
|
||||
#include <MESA/MESA_htable.h>
|
||||
#include <MESA/field_stat2.h>
|
||||
|
||||
#define SESS_CACHE_NOT_FOUND -1
|
||||
#define SESS_CACHE_FOUND 0
|
||||
#define SESS_CACHE_UPDATE_OLD 1
|
||||
#define SESS_CACHE_ADD_NEW 2
|
||||
#define SESS_CACHE_INVALID 3
|
||||
#define SESS_CACHE_NOT_FOUND -1
|
||||
#define SESS_CACHE_FOUND 0
|
||||
#define SESS_CACHE_UPDATE_OLD 1
|
||||
#define SESS_CACHE_ADD_NEW 2
|
||||
#define SESS_CACHE_INVALID 3
|
||||
|
||||
struct asn1_sess
|
||||
{
|
||||
@@ -45,25 +45,34 @@ static struct asn1_sess * ssl_sess_serialize(SSL_SESSION * sess)
|
||||
{
|
||||
struct asn1_sess * result = ALLOC(struct asn1_sess, 1);
|
||||
|
||||
int __i2d_size = i2d_SSL_SESSION(sess, NULL);
|
||||
result->size = (size_t) __i2d_size;
|
||||
assert(__i2d_size > 0);
|
||||
int i = i2d_SSL_SESSION(sess, NULL), j=0;
|
||||
result->size = (size_t) i;
|
||||
unsigned char* temp=NULL;
|
||||
assert(i > 0);
|
||||
|
||||
/* When using i2d_SSL_SESSION(), the memory location pointed to by pp must be large enough to
|
||||
* hold the binary representation of the session. There is no known limit on the size of the
|
||||
* created ASN1 representation, so the necessary amount of space should be obtained by first
|
||||
* calling i2d_SSL_SESSION() with pp=NULL, and obtain the size needed,
|
||||
* then allocate the memory and call i2d_SSL_SESSION() again.*/
|
||||
|
||||
result->buff = ALLOC(unsigned char, result->size);
|
||||
i2d_SSL_SESSION(sess, &(result->buff));
|
||||
* then allocate the memory and call i2d_SSL_SESSION() again.
|
||||
*Note that this will advance the value contained in *pp so it is necessary to save a copy of the original allocation.*/
|
||||
result->buff = temp = ALLOC(unsigned char, result->size);
|
||||
|
||||
j=i2d_SSL_SESSION(sess, &(temp));
|
||||
assert(i == j);
|
||||
assert(result->buff + i == temp);
|
||||
return result;
|
||||
}
|
||||
|
||||
static SSL_SESSION * ssl_sess_deserialize(const struct asn1_sess * asn1)
|
||||
{
|
||||
SSL_SESSION * sess = NULL;
|
||||
d2i_SSL_SESSION(&sess, (const unsigned char **) &(asn1->buff), (long) asn1->size); /* increments asn1 */
|
||||
|
||||
const unsigned char *p=asn1->buff;
|
||||
/* i2d_SSL_SESSION increments the pointer pointed to by p to point one byte after the saved data
|
||||
* We save the pointer first.*/
|
||||
sess=d2i_SSL_SESSION(NULL, &(p), (long) asn1->size); /* increments asn1 */
|
||||
assert(sess!=NULL);
|
||||
return sess;
|
||||
}
|
||||
|
||||
@@ -188,7 +197,7 @@ void up_session_set(struct sess_cache * cache, struct sockaddr * addr, socklen_t
|
||||
struct asn1_sess * asn1 = NULL;
|
||||
asn1 = ssl_sess_serialize(sess);
|
||||
|
||||
struct sess_set_args set_args{.hash = cache->hash, .new_sess = asn1};
|
||||
struct sess_set_args set_args={.hash = cache->hash, .new_sess = asn1};
|
||||
MESA_htable_search_cb(cache->hash, key, key_size, sess_cache_set_cb, &set_args, &cb_ret);
|
||||
if (cb_ret == SESS_CACHE_UPDATE_OLD)
|
||||
{
|
||||
@@ -211,7 +220,7 @@ SSL_SESSION * up_session_get(struct sess_cache * cache, struct sockaddr * addr,
|
||||
MESA_htable_search_cb(cache->hash, key, key_size, sess_cache_get_cb, &sess, &cb_ret);
|
||||
free(key);
|
||||
key = NULL;
|
||||
if (cb_ret == 1)
|
||||
if (cb_ret == SESS_CACHE_FOUND)
|
||||
{
|
||||
ATOMIC_INC(&(cache->hit_cnt));
|
||||
return sess;
|
||||
@@ -238,9 +247,9 @@ void down_session_set(struct sess_cache * cache, const SSL_SESSION * sess)
|
||||
*/
|
||||
|
||||
const unsigned char * id = SSL_SESSION_get_id(sess, &idlen);
|
||||
struct sess_set_args set_args{.hash = cache->hash, .new_sess = asn1};
|
||||
struct sess_set_args set_args={.hash = cache->hash, .new_sess = asn1};
|
||||
|
||||
MESA_htable_search_cb(cache->hash, id, (unsigned int) idlen, sess_cache_set_cb, &set_args, &cb_ret);
|
||||
MESA_htable_search_cb(cache->hash, id, idlen, sess_cache_set_cb, &set_args, &cb_ret);
|
||||
if (cb_ret == SESS_CACHE_UPDATE_OLD)
|
||||
{
|
||||
ssl_sess_free_serialized(asn1);
|
||||
@@ -254,7 +263,7 @@ SSL_SESSION * down_session_get(struct sess_cache * cache, const unsigned char *
|
||||
long cb_ret = 0;
|
||||
assert(cache->served_for == CONN_DIR_DOWNSTREAM);
|
||||
MESA_htable_search_cb(cache->hash, id, (unsigned int) idlen, sess_cache_get_cb, &sess, &cb_ret);
|
||||
if (cb_ret == 1)
|
||||
if (cb_ret == SESS_CACHE_FOUND)
|
||||
{
|
||||
ATOMIC_INC(&(cache->hit_cnt));
|
||||
return sess;
|
||||
|
||||
@@ -683,10 +683,10 @@ struct bufferevent * ssl_upstream_create_result_release_bev(future_result_t * re
|
||||
ctx->bev = NULL; //giveup ownership
|
||||
return ret;
|
||||
}
|
||||
void ssl_handle_conn_origin_err(struct bufferevent * bev, void* logger)
|
||||
void ssl_stream_log_error(struct bufferevent * bev, enum tfe_conn_dir dir, void* logger)
|
||||
{
|
||||
unsigned long sslerr=0;
|
||||
|
||||
const char* dir_str=(dir==CONN_DIR_DOWNSTREAM?"downstream":"upstream");
|
||||
/* Can happen for socket errs, ssl errs;
|
||||
* may happen for unclean ssl socket shutdowns. */
|
||||
sslerr = bufferevent_get_openssl_error(bev);
|
||||
@@ -703,8 +703,9 @@ void ssl_handle_conn_origin_err(struct bufferevent * bev, void* logger)
|
||||
{
|
||||
/* these can happen due to client cert auth,
|
||||
* only log error if debugging is activated */
|
||||
TFE_LOG_ERROR(logger,"Error from upstream bufferevent: "
|
||||
TFE_LOG_ERROR(logger,"Handshake Error from %s bufferevent: "
|
||||
"%i:%s %lu:%i:%s:%i:%s:%i:%s\n",
|
||||
dir_str,
|
||||
errno,
|
||||
errno ? strerror(errno) : "-",
|
||||
sslerr,
|
||||
@@ -733,8 +734,9 @@ void ssl_handle_conn_origin_err(struct bufferevent * bev, void* logger)
|
||||
else
|
||||
{
|
||||
/* real errors */
|
||||
TFE_LOG_ERROR(logger,"Error from upstream bufferevent: "
|
||||
TFE_LOG_ERROR(logger,"Error from %s bufferevent: "
|
||||
"%i:%s %lu:%i:%s:%i:%s:%i:%s\n",
|
||||
dir_str,
|
||||
errno,
|
||||
errno ? strerror(errno) : "-",
|
||||
sslerr,
|
||||
@@ -778,7 +780,7 @@ static void ssl_connect_origin_eventcb(struct bufferevent * bev, short events, v
|
||||
if (events & BEV_EVENT_ERROR)
|
||||
{
|
||||
ATOMIC_INC(&(ctx->mgr->stat_val[SSL_UP_ERR]));
|
||||
ssl_handle_conn_origin_err(bev,ctx->mgr->logger);
|
||||
ssl_stream_log_error(bev, CONN_DIR_UPSTREAM, ctx->mgr->logger);
|
||||
promise_failed(promise, FUTURE_ERROR_EXCEPTION, "connect to original server failed.");
|
||||
}
|
||||
else if(events & BEV_EVENT_EOF)
|
||||
|
||||
@@ -404,6 +404,10 @@ static void __stream_bev_eventcb(struct bufferevent * bev, short events, void *
|
||||
{
|
||||
this_conn->closed = 1;
|
||||
reason = REASON_ERROR;
|
||||
if(__IS_SSL(_stream))
|
||||
{
|
||||
ssl_stream_log_error(bev, dir, __STREAM_LOGGER(_stream));
|
||||
}
|
||||
goto call_plugin_close;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user