gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

增加trusted_cert_load_local开关,控制是否加载本地的pem bundle文件,默认加载。

Browse Source
This commit is contained in:
zhengchao
2019-06-14 23:43:03 +08:00
parent b579c718b3
commit 6e6fdfd010
2 changed files with 39 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
platform/src/ssl_stream.cpp
View File

@@ -149,6 +149,7 @@ struct ssl_mgr
char * ecdhcurve; char * ecdhcurve;
char * crl_url; char * crl_url;
unsigned int trusted_cert_load_local;
struct cert_store_param cert_verify_param; struct cert_store_param cert_verify_param;
uint8_t ssl_mode_release_buffers; uint8_t ssl_mode_release_buffers;
char trusted_cert_file[TFE_PATH_MAX]; char trusted_cert_file[TFE_PATH_MAX];
@@ -705,13 +706,18 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
goto error_out; goto error_out;
} }
MESA_load_profile_uint_def(ini_profile, section, "trusted_cert_load_local",
&(mgr->trusted_cert_load_local), 1);
MESA_load_profile_uint_def(ini_profile, section, "check_cert_crl", &(mgr->cert_verify_param.check_crl), 0);
if(mgr->trusted_cert_load_local)//Other wise, use policy defined trusted CA file.
{
MESA_load_profile_string_def(ini_profile, section, "trusted_cert_file", mgr->trusted_cert_file, sizeof(mgr->trusted_cert_file), MESA_load_profile_string_def(ini_profile, section, "trusted_cert_file", mgr->trusted_cert_file, sizeof(mgr->trusted_cert_file),
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"); "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem");
MESA_load_profile_string_def(ini_profile, section, "trusted_cert_dir", mgr->trusted_cert_dir, sizeof(mgr->trusted_cert_dir), MESA_load_profile_string_def(ini_profile, section, "trusted_cert_dir", mgr->trusted_cert_dir, sizeof(mgr->trusted_cert_dir),
"./resource/tfe/trusted_storage"); "./resource/tfe/trusted_storage");
MESA_load_profile_uint_def(ini_profile, section, "check_cert_crl", &(mgr->cert_verify_param.check_crl), 0); }
mgr->trust_CA_store = ssl_trusted_cert_storage_create(mgr->trusted_cert_file, mgr->trusted_cert_dir, &(mgr->cert_verify_param)); mgr->trust_CA_store = ssl_trusted_cert_storage_create(mgr->trusted_cert_file, mgr->trusted_cert_dir, &(mgr->cert_verify_param));
if (mgr->trust_CA_store == NULL) if (mgr->trust_CA_store == NULL)
{ {

11
platform/src/ssl_trusted_cert_storage.cpp
View File

@@ -109,12 +109,15 @@ static X509_STORE* _X509_store_create(const char* pem_bundle, const char* pem_di
{ {
return NULL; return NULL;
} }
if(pem_bundle&&strlen(pem_bundle)>0)
{
ret = X509_STORE_load_locations(store, pem_bundle, NULL); ret = X509_STORE_load_locations(store, pem_bundle, NULL);
if (ret == 0) if (ret == 0)
{ {
return NULL; return NULL;
} }
TFE_LOG_INFO(g_default_logger, "X509 trust store load pem boundle: %s", pem_bundle);
}
X509_VERIFY_PARAM *x509_param=NULL; X509_VERIFY_PARAM *x509_param=NULL;
if(param->check_crl) if(param->check_crl)
{ {
@@ -122,8 +125,11 @@ static X509_STORE* _X509_store_create(const char* pem_bundle, const char* pem_di
X509_VERIFY_PARAM_set_flags(x509_param, X509_V_FLAG_CRL_CHECK); X509_VERIFY_PARAM_set_flags(x509_param, X509_V_FLAG_CRL_CHECK);
X509_STORE_set1_param(store, x509_param); X509_STORE_set1_param(store, x509_param);
X509_VERIFY_PARAM_free(x509_param); X509_VERIFY_PARAM_free(x509_param);
TFE_LOG_INFO(g_default_logger, "X509 trust store enable CRL check");
} }
struct dirent **namelist = NULL; struct dirent **namelist = NULL;
if(pem_dir&&strlen(pem_dir)>0)
{
n=tfe_scandir(pem_dir, &namelist, NULL, (int (*)(const void*, const void*))alphasort); n=tfe_scandir(pem_dir, &namelist, NULL, (int (*)(const void*, const void*))alphasort);
if(n < 0) if(n < 0)
{ {
@@ -142,11 +148,12 @@ static X509_STORE* _X509_store_create(const char* pem_bundle, const char* pem_di
_X509_add_cert_or_crl_add(store, SSL_X509_OBJ_CRL, path); _X509_add_cert_or_crl_add(store, SSL_X509_OBJ_CRL, path);
} }
TFE_LOG_INFO(g_default_logger, "Found X509 additive trust CA: %s", path); TFE_LOG_INFO(g_default_logger, "X509 trust store found X509 additive trust CA: %s", path);
free(namelist[i]); free(namelist[i]);
} }
free(namelist); free(namelist);
}
return store; return store;
} }