gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

业务层拦截策略(ssl policy)对接ssl stream。

Browse Source
This commit is contained in:
zhengchao
2019-05-19 17:45:16 +08:00
parent 61bc647d1f
commit 7cbd432a25
5 changed files with 89 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
platform/src/ssl_stream.cpp
View File

@@ -134,8 +134,8 @@ struct ssl_mgr
struct sess_cache * down_sess_cache;
struct sess_cache * up_sess_cache;
struct ssl_service_cache* svc_cache;
ssl_stream_new_hook* on_new_hook_func;
void* hook_u_para;
ssl_stream_new_hook* on_new_upstream_cb;
void* upstream_cb_param;
struct session_ticket_key ticket_key;
char default_ciphers[TFE_SYMBOL_MAX];
@@ -526,7 +526,7 @@ void ssl_manager_destroy(struct ssl_mgr * mgr)
struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section,
struct event_base * ev_base_gc, void * logger, ssl_stream_new_hook* hook_func, void* hook_u_para)
struct event_base * ev_base_gc, void * logger)
{
unsigned char key_name[]="!mesalab-tfe3a~&";
unsigned char aes_key_def[]={0xC5,0xAC,0xC1,0xA6,0xB2,0xBB,0xCA,0xC7,0xE3,0xBE,0xE3,0xB2,0xC6,0xA3,0xB1,0xB9
@@ -595,8 +595,7 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
mgr->down_sess_cache = ssl_sess_cache_create(mgr->cache_slots, mgr->sess_expire_seconds, CONN_DIR_DOWNSTREAM);
}
mgr->svc_cache=ssl_service_cache_create(mgr->cache_slots, mgr->sess_expire_seconds);
mgr->on_new_hook_func=hook_func;
mgr->hook_u_para=hook_u_para;
//Reference to NGINX: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key
//Support key rotation in futher.
@@ -647,6 +646,12 @@ error_out:
ssl_manager_destroy(mgr);
return NULL;
}
void ssl_manager_set_new_upstream_cb(struct ssl_mgr * mgr, ssl_stream_new_hook* new_upstream_cb, void* u_para)
{
mgr->on_new_upstream_cb=new_upstream_cb;
mgr->upstream_cb_param=u_para;
return;
}
void peek_client_hello_ctx_free(struct peek_client_hello_ctx * _ctx)
{
@@ -1174,7 +1179,14 @@ static void peek_chello_on_succ(future_result_t * result, void * user)
svc_status->is_ct,
svc_status->is_ev);
}
s_stream->up_parts.action=ctx->mgr->on_new_hook_func(s_stream, ctx->mgr->hook_u_para);
if(ctx->mgr->on_new_upstream_cb)
{
s_stream->up_parts.action=ctx->mgr->on_new_upstream_cb(s_stream, ctx->mgr->upstream_cb_param);
}
else
{
s_stream->up_parts.action=SSL_ACTION_INTERCEPT;
}
ctx->s_stream = s_stream;
if(s_stream->up_parts.action==SSL_ACTION_PASSTHROUGH)
{
@@ -1905,7 +1917,7 @@ int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT
case SSL_STREAM_OPT_NO_VERIFY_EXPIRY_DATE:
verify_param->no_verify_expiry_date=opt_val;
break;
case SST_STREAM_OPT_VERIFY_FAIL_ACTION:
case SSL_STREAM_OPT_BLOCK_FAKE_CERT:
upstream->up_parts.block_fake_cert=opt_val;
break;
case SSL_STREAM_OPT_PROTOCOL_MIN_VERSION:
@@ -1915,6 +1927,7 @@ int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT
upstream->ssl_max_version=opt_val;
break;
default:
assert(0);
return 0;
}