gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

处理无sni的ssl。

Browse Source
This commit is contained in:
zhengchao
2019-06-21 16:10:26 +08:00
parent 1a725d24ce
commit 8c33bd3a58
3 changed files with 20 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
platform/src/ssl_service_cache.cpp
View File

@@ -73,7 +73,7 @@ static size_t ssl_svc_server_st_mk_key(const struct ssl_chello* chello, const st
const char* sip=NULL, *sport=NULL, *dip=NULL, *dport=NULL; const char* sip=NULL, *sport=NULL, *dip=NULL, *dport=NULL;
char * addr_str= tfe_stream_addr_to_str(addr); char * addr_str= tfe_stream_addr_to_str(addr);
tfe_stream_addr_str_split(addr_str, &sip, &sport, &dip, &dport); tfe_stream_addr_str_split(addr_str, &sip, &sport, &dip, &dport);
key_len=snprintf(key_buff, sz, "%s:%s:%s:", dip, dport, chello->sni); key_len=snprintf(key_buff, sz, "%s:%s:%s:", dip, dport, chello->sni?chello->sni:"null");
free(addr_str); free(addr_str);
return key_len; return key_len;
} }
@@ -83,10 +83,11 @@ static size_t ssl_svc_client_st_mk_key(const struct ssl_chello* chello, const st
const char* sip=NULL, *sport=NULL, *dip=NULL, *dport=NULL; const char* sip=NULL, *sport=NULL, *dip=NULL, *dport=NULL;
char * addr_str= tfe_stream_addr_to_str(addr); char * addr_str= tfe_stream_addr_to_str(addr);
tfe_stream_addr_str_split(addr_str, &sip, &sport, &dip, &dport); tfe_stream_addr_str_split(addr_str, &sip, &sport, &dip, &dport);
key_len=snprintf(key_buff, sz, "%s:%d:%d:%s:%s:", sip, key_len=snprintf(key_buff, sz, "%s:%d:%d:%s:%s", sip,
chello->min_version.ossl_format, chello->min_version.ossl_format,
chello->max_version.ossl_format, chello->max_version.ossl_format,
chello->sni, chello->alpn?chello->alpn:"null"); chello->sni?chello->sni: dip ,
chello->alpn?chello->alpn:"null");
if(chello->cipher_suites && sz-key_len>chello->cipher_suites_len) if(chello->cipher_suites && sz-key_len>chello->cipher_suites_len)
{ {
memcpy(key_buff+key_len, chello->cipher_suites, chello->cipher_suites_len); memcpy(key_buff+key_len, chello->cipher_suites, chello->cipher_suites_len);

2
platform/src/ssl_sess_cache.cpp
View File

@@ -183,7 +183,7 @@ static size_t upsess_mk_key(struct sockaddr * res, socklen_t addrlen, const char
break; break;
} }
key_size=asprintf((char**)key_buf,"%s:%u:%s",s, port, sni); key_size=asprintf((char**)key_buf,"%s:%u:%s",s, port, sni?sni:"null");
free(s); free(s);
return key_size; return key_size;
} }

26
platform/src/ssl_stream.cpp
View File

@@ -214,8 +214,8 @@ struct ssl_stream
uint64_t connect_latency_ms; uint64_t connect_latency_ms;
struct ssl_stream* peer; struct ssl_stream* peer;
socklen_t addrlen; socklen_t peer_addrlen;
struct sockaddr_storage addr; struct sockaddr_storage peer_addr;
struct __ssl_stream_debug _do_not_use; struct __ssl_stream_debug _do_not_use;
enum ssl_stream_error error; enum ssl_stream_error error;
}; };
@@ -500,7 +500,7 @@ struct ssl_stream * ssl_stream_new(struct ssl_mgr * mgr, evutil_socket_t fd, enu
s_stream->ssl_min_version=mgr->ssl_min_version; s_stream->ssl_min_version=mgr->ssl_min_version;
s_stream->peer=peer; s_stream->peer=peer;
s_stream->tcp_stream=tcp_stream; s_stream->tcp_stream=tcp_stream;
ret = getpeername(fd, (struct sockaddr *) (&s_stream->addr), &(s_stream->addrlen)); ret = getpeername(fd, (struct sockaddr *) (&s_stream->peer_addr), &(s_stream->peer_addrlen));
switch (dir) switch (dir)
{ {
case CONN_DIR_DOWNSTREAM: case CONN_DIR_DOWNSTREAM:
@@ -935,7 +935,7 @@ static void upstream_ossl_init(struct ssl_stream* s_stream)
SSL_CTX_set_session_cache_mode(sslctx, SSL_SESS_CACHE_NO_INTERNAL); SSL_CTX_set_session_cache_mode(sslctx, SSL_SESS_CACHE_NO_INTERNAL);
/* session resuming based on remote endpoint address and port */ /* session resuming based on remote endpoint address and port */
sess = up_session_get(mgr->up_sess_cache, sess = up_session_get(mgr->up_sess_cache,
(struct sockaddr *) &(s_stream->addr), s_stream->addrlen, chello->sni, (struct sockaddr *) &(s_stream->peer_addr), s_stream->peer_addrlen, chello->sni,
s_stream->ssl_min_version, s_stream->ssl_max_version); s_stream->ssl_min_version, s_stream->ssl_max_version);
if (sess) if (sess)
{ {
@@ -1223,7 +1223,6 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
struct ssl_mgr* mgr=s_stream->mgr; struct ssl_mgr* mgr=s_stream->mgr;
SSL_SESSION * ssl_sess = NULL; SSL_SESSION * ssl_sess = NULL;
char error_str[TFE_STRING_MAX]; char error_str[TFE_STRING_MAX];
const char* sni=s_upstream->client_hello->sni?s_upstream->client_hello->sni:"null";
uint64_t jiffies_ms; uint64_t jiffies_ms;
unsigned long sslerr=0; unsigned long sslerr=0;
if (events & BEV_EVENT_ERROR) if (events & BEV_EVENT_ERROR)
@@ -1254,7 +1253,10 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
jiffies_ms=(ctx->end.tv_sec-ctx->start.tv_sec)*1000+(ctx->end.tv_nsec-ctx->start.tv_nsec)/1000000; jiffies_ms=(ctx->end.tv_sec-ctx->start.tv_sec)*1000+(ctx->end.tv_nsec-ctx->start.tv_nsec)/1000000;
if(jiffies_ms>LATENCY_WARNING_THRESHOLD_MS) if(jiffies_ms>LATENCY_WARNING_THRESHOLD_MS)
{ {
TFE_LOG_ERROR(mgr->logger, "Warning: ssl connect server latency %ld ms: addr=%s, sni=%s", jiffies_ms, s_stream->tcp_stream->str_stream_info, sni); TFE_LOG_ERROR(mgr->logger, "Warning: ssl connect server latency %ld ms: addr=%s, sni=%s",
jiffies_ms,
s_stream->tcp_stream->str_stream_info,
s_upstream->client_hello->sni);
} }
s_stream->connect_latency_ms=jiffies_ms; s_stream->connect_latency_ms=jiffies_ms;
ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_SERVER_SIDE_LATENCY, jiffies_ms); ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_SERVER_SIDE_LATENCY, jiffies_ms);
@@ -1338,7 +1340,7 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
if(s_stream->error) if(s_stream->error)
{ {
ssl_stream_set_cmsg_string(s_stream, TFE_CMSG_SSL_ERROR, ssl_stream_get_error_string(s_stream->error)); ssl_stream_set_cmsg_string(s_stream, TFE_CMSG_SSL_ERROR, ssl_stream_get_error_string(s_stream->error));
snprintf(error_str, sizeof(error_str), "%s, sni=%s", ssl_stream_get_error_string(s_stream->error), sni); snprintf(error_str, sizeof(error_str), "%s, sni=%s", ssl_stream_get_error_string(s_stream->error), s_upstream->client_hello->sni);
promise_failed(p, FUTURE_ERROR_EXCEPTION, error_str); promise_failed(p, FUTURE_ERROR_EXCEPTION, error_str);
} }
wrap_ssl_connect_server_ctx_free(ctx); wrap_ssl_connect_server_ctx_free(ctx);
@@ -1699,7 +1701,7 @@ void downstream_ossl_init(struct ssl_stream *s_stream)
SSL_CTX_sess_set_new_cb(sslctx, ossl_downsess_new_cb); SSL_CTX_sess_set_new_cb(sslctx, ossl_downsess_new_cb);
SSL_CTX_sess_set_remove_cb(sslctx, ossl_downsess_remove_cb); SSL_CTX_sess_set_remove_cb(sslctx, ossl_downsess_remove_cb);
SSL_CTX_sess_set_get_cb(sslctx, ossl_downsess_get_cb); SSL_CTX_sess_set_get_cb(sslctx, ossl_downsess_get_cb);
if(!mgr->no_sessticket) if(!mgr->no_sessticket&&s_stream->peer->up_parts.client_hello->sni)
{ {
SSL_CTX_set_tlsext_ticket_key_cb(sslctx, ossl_session_ticket_key_callback); SSL_CTX_set_tlsext_ticket_key_cb(sslctx, ossl_session_ticket_key_callback);
} }
@@ -1812,7 +1814,6 @@ static void ssl_client_connected_eventcb(struct bufferevent * bev, short events,
struct ssl_stream * s_stream = ctx->downstream; struct ssl_stream * s_stream = ctx->downstream;
struct ssl_upstream_parts* s_upstream= &(ctx->peer->up_parts); struct ssl_upstream_parts* s_upstream= &(ctx->peer->up_parts);
struct ssl_mgr* mgr=s_stream->mgr; struct ssl_mgr* mgr=s_stream->mgr;
const char* sni=s_upstream->client_hello->sni?s_upstream->client_hello->sni:"null";
char error_str[TFE_STRING_MAX]={0}; char error_str[TFE_STRING_MAX]={0};
uint64_t jiffies_ms=0; uint64_t jiffies_ms=0;
unsigned long sslerr=0; unsigned long sslerr=0;
@@ -1843,7 +1844,10 @@ static void ssl_client_connected_eventcb(struct bufferevent * bev, short events,
jiffies_ms=(ctx->end.tv_sec-ctx->start.tv_sec)*1000+(ctx->end.tv_nsec-ctx->start.tv_nsec)/1000000; jiffies_ms=(ctx->end.tv_sec-ctx->start.tv_sec)*1000+(ctx->end.tv_nsec-ctx->start.tv_nsec)/1000000;
if(jiffies_ms>LATENCY_WARNING_THRESHOLD_MS) if(jiffies_ms>LATENCY_WARNING_THRESHOLD_MS)
{ {
TFE_LOG_ERROR(mgr->logger, "Warning: ssl connect client latency %ld ms: addr=%s, sni=%s", jiffies_ms, s_stream->tcp_stream->str_stream_info, sni); TFE_LOG_ERROR(mgr->logger, "Warning: ssl connect client latency %ld ms: addr=%s, sni=%s",
jiffies_ms,
s_stream->tcp_stream->str_stream_info,
s_upstream->client_hello->sni);
} }
s_stream->connect_latency_ms=jiffies_ms; s_stream->connect_latency_ms=jiffies_ms;
ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_CLIENT_SIDE_LATENCY, jiffies_ms); ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_CLIENT_SIDE_LATENCY, jiffies_ms);
@@ -1862,7 +1866,7 @@ static void ssl_client_connected_eventcb(struct bufferevent * bev, short events,
if(s_stream->error) if(s_stream->error)
{ {
ssl_stream_set_cmsg_string(s_stream, TFE_CMSG_SSL_ERROR, ssl_stream_get_error_string(s_stream->error)); ssl_stream_set_cmsg_string(s_stream, TFE_CMSG_SSL_ERROR, ssl_stream_get_error_string(s_stream->error));
snprintf(error_str, sizeof(error_str), "%s : sni=%s", ssl_stream_get_error_string(s_stream->error), sni); snprintf(error_str, sizeof(error_str), "%s : sni=%s", ssl_stream_get_error_string(s_stream->error), s_upstream->client_hello->sni);
promise_failed(p, FUTURE_ERROR_EXCEPTION, error_str); promise_failed(p, FUTURE_ERROR_EXCEPTION, error_str);
} }