gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'develop-tfe4a' of git.mesalab.cn:tango/tfe into develop-tfe4a

Browse Source
This commit is contained in:
zhengchao
2019-06-21 17:18:33 +08:00
parent 3187b45c6a d7df8069c2
commit 811435ca92
4 changed files with 21 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
platform/src/ssl_service_cache.cpp
View File

@@ -73,7 +73,7 @@ static size_t ssl_svc_server_st_mk_key(const struct ssl_chello* chello, const st
const char* sip=NULL, *sport=NULL, *dip=NULL, *dport=NULL;
char * addr_str= tfe_stream_addr_to_str(addr);
tfe_stream_addr_str_split(addr_str, &sip, &sport, &dip, &dport);
key_len=snprintf(key_buff, sz, "%s:%s:%s:", dip, dport, chello->sni);
key_len=snprintf(key_buff, sz, "%s:%s:%s:", dip, dport, chello->sni?chello->sni:"null");
free(addr_str);
return key_len;
}
@@ -83,10 +83,11 @@ static size_t ssl_svc_client_st_mk_key(const struct ssl_chello* chello, const st
const char* sip=NULL, *sport=NULL, *dip=NULL, *dport=NULL;
char * addr_str= tfe_stream_addr_to_str(addr);
tfe_stream_addr_str_split(addr_str, &sip, &sport, &dip, &dport);
key_len=snprintf(key_buff, sz, "%s:%d:%d:%s:%s:", sip,
key_len=snprintf(key_buff, sz, "%s:%d:%d:%s:%s", sip,
chello->min_version.ossl_format,
chello->max_version.ossl_format,
chello->sni, chello->alpn?chello->alpn:"null");
chello->sni?chello->sni: dip ,
chello->alpn?chello->alpn:"null");
if(chello->cipher_suites && sz-key_len>chello->cipher_suites_len)
{
memcpy(key_buff+key_len, chello->cipher_suites, chello->cipher_suites_len);

2
platform/src/ssl_sess_cache.cpp
View File

@@ -183,7 +183,7 @@ static size_t upsess_mk_key(struct sockaddr * res, socklen_t addrlen, const char
break;
}
key_size=asprintf((char**)key_buf,"%s:%u:%s",s, port, sni);
key_size=asprintf((char**)key_buf,"%s:%u:%s",s, port, sni?sni:"null");
free(s);
return key_size;
}

26
platform/src/ssl_stream.cpp
View File

@@ -214,8 +214,8 @@ struct ssl_stream
uint64_t connect_latency_ms;
struct ssl_stream* peer;
socklen_t addrlen;
struct sockaddr_storage addr;
socklen_t peer_addrlen;
struct sockaddr_storage peer_addr;
struct __ssl_stream_debug _do_not_use;
enum ssl_stream_error error;
};
@@ -500,7 +500,7 @@ struct ssl_stream * ssl_stream_new(struct ssl_mgr * mgr, evutil_socket_t fd, enu
s_stream->ssl_min_version=mgr->ssl_min_version;
s_stream->peer=peer;
s_stream->tcp_stream=tcp_stream;
ret = getpeername(fd, (struct sockaddr *) (&s_stream->addr), &(s_stream->addrlen));
ret = getpeername(fd, (struct sockaddr *) (&s_stream->peer_addr), &(s_stream->peer_addrlen));
switch (dir)
{
case CONN_DIR_DOWNSTREAM:
@@ -935,7 +935,7 @@ static void upstream_ossl_init(struct ssl_stream* s_stream)
SSL_CTX_set_session_cache_mode(sslctx, SSL_SESS_CACHE_NO_INTERNAL);
/* session resuming based on remote endpoint address and port */
sess = up_session_get(mgr->up_sess_cache,
(struct sockaddr *) &(s_stream->addr), s_stream->addrlen, chello->sni,
(struct sockaddr *) &(s_stream->peer_addr), s_stream->peer_addrlen, chello->sni,
s_stream->ssl_min_version, s_stream->ssl_max_version);
if (sess)
{
@@ -1223,7 +1223,6 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
struct ssl_mgr* mgr=s_stream->mgr;
SSL_SESSION * ssl_sess = NULL;
char error_str[TFE_STRING_MAX];
const char* sni=s_upstream->client_hello->sni?s_upstream->client_hello->sni:"null";
uint64_t jiffies_ms;
unsigned long sslerr=0;
if (events & BEV_EVENT_ERROR)
@@ -1254,7 +1253,10 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
jiffies_ms=(ctx->end.tv_sec-ctx->start.tv_sec)*1000+(ctx->end.tv_nsec-ctx->start.tv_nsec)/1000000;
if(jiffies_ms>LATENCY_WARNING_THRESHOLD_MS)
{
TFE_LOG_ERROR(mgr->logger, "Warning: ssl connect server latency %ld ms: addr=%s, sni=%s", jiffies_ms, s_stream->tcp_stream->str_stream_info, sni);
TFE_LOG_ERROR(mgr->logger, "Warning: ssl connect server latency %ld ms: addr=%s, sni=%s",
jiffies_ms,
s_stream->tcp_stream->str_stream_info,
s_upstream->client_hello->sni);
}
s_stream->connect_latency_ms=jiffies_ms;
ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_SERVER_SIDE_LATENCY, jiffies_ms);
@@ -1338,7 +1340,7 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
if(s_stream->error)
{
ssl_stream_set_cmsg_string(s_stream, TFE_CMSG_SSL_ERROR, ssl_stream_get_error_string(s_stream->error));
snprintf(error_str, sizeof(error_str), "%s, sni=%s", ssl_stream_get_error_string(s_stream->error), sni);
snprintf(error_str, sizeof(error_str), "%s, sni=%s", ssl_stream_get_error_string(s_stream->error), s_upstream->client_hello->sni);
promise_failed(p, FUTURE_ERROR_EXCEPTION, error_str);
}
wrap_ssl_connect_server_ctx_free(ctx);
@@ -1698,7 +1700,7 @@ void downstream_ossl_init(struct ssl_stream *s_stream)
SSL_CTX_sess_set_new_cb(sslctx, ossl_downsess_new_cb);
SSL_CTX_sess_set_remove_cb(sslctx, ossl_downsess_remove_cb);
SSL_CTX_sess_set_get_cb(sslctx, ossl_downsess_get_cb);
if(!mgr->no_sessticket)
if(!mgr->no_sessticket&&s_stream->peer->up_parts.client_hello->sni)
{
SSL_CTX_set_tlsext_ticket_key_cb(sslctx, ossl_session_ticket_key_callback);
}
@@ -1811,7 +1813,6 @@ static void ssl_client_connected_eventcb(struct bufferevent * bev, short events,
struct ssl_stream * s_stream = ctx->downstream;
struct ssl_upstream_parts* s_upstream= &(ctx->peer->up_parts);
struct ssl_mgr* mgr=s_stream->mgr;
const char* sni=s_upstream->client_hello->sni?s_upstream->client_hello->sni:"null";
char error_str[TFE_STRING_MAX]={0};
uint64_t jiffies_ms=0;
unsigned long sslerr=0;
@@ -1842,7 +1843,10 @@ static void ssl_client_connected_eventcb(struct bufferevent * bev, short events,
jiffies_ms=(ctx->end.tv_sec-ctx->start.tv_sec)*1000+(ctx->end.tv_nsec-ctx->start.tv_nsec)/1000000;
if(jiffies_ms>LATENCY_WARNING_THRESHOLD_MS)
{
TFE_LOG_ERROR(mgr->logger, "Warning: ssl connect client latency %ld ms: addr=%s, sni=%s", jiffies_ms, s_stream->tcp_stream->str_stream_info, sni);
TFE_LOG_ERROR(mgr->logger, "Warning: ssl connect client latency %ld ms: addr=%s, sni=%s",
jiffies_ms,
s_stream->tcp_stream->str_stream_info,
s_upstream->client_hello->sni);
}
s_stream->connect_latency_ms=jiffies_ms;
ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_CLIENT_SIDE_LATENCY, jiffies_ms);
@@ -1861,7 +1865,7 @@ static void ssl_client_connected_eventcb(struct bufferevent * bev, short events,
if(s_stream->error)
{
ssl_stream_set_cmsg_string(s_stream, TFE_CMSG_SSL_ERROR, ssl_stream_get_error_string(s_stream->error));
snprintf(error_str, sizeof(error_str), "%s : sni=%s", ssl_stream_get_error_string(s_stream->error), sni);
snprintf(error_str, sizeof(error_str), "%s : sni=%s", ssl_stream_get_error_string(s_stream->error), s_upstream->client_hello->sni);
promise_failed(p, FUTURE_ERROR_EXCEPTION, error_str);
}

2
plugin/business/ssl-policy/src/ssl_policy.cpp
View File

@@ -222,7 +222,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
else
{
ssl_stream_get_string_opt(upstream, SSL_STREAM_OPT_SNI, sni, sizeof(sni));
ssl_stream_get_string_opt(upstream, SSL_STREAM_OPT_ADDR, sni, sizeof(addr_string));
ssl_stream_get_string_opt(upstream, SSL_STREAM_OPT_ADDR, addr_string, sizeof(addr_string));
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy %d", addr_string, sni, policy_id);
}
int pinning_staus=0, is_ev=0, is_ct=0, is_mauth=0, has_error=0;