From 9a58460460142386aecd658d7c23e590574a9002 Mon Sep 17 00:00:00 2001
From: luwenpeng <luwenpeng@zdjizhi.com>
Date: Fri, 17 Jan 2020 14:15:00 +0800
Subject: [PATCH] =?UTF-8?q?TSG-700=20=E4=B8=AD=E9=97=B4=E8=AF=81=E4=B9=A6?=
 =?UTF-8?q?=E7=BC=93=E5=AD=98=E6=9D=A1=E4=BB=B6=EF=BC=8C=E4=B8=8E=E8=AF=81?=
 =?UTF-8?q?=E4=B9=A6=E6=A0=A1=E9=AA=8C=E5=BC=80=E5=85=B3=E6=97=A0=E5=85=B3?=
 =?UTF-8?q?=EF=BC=8Ctfe=E6=8C=89=E7=85=A7x509/openssl=E7=9A=84=E6=A0=87?=
 =?UTF-8?q?=E5=87=86=E6=A0=A1=E9=AA=8C=E8=AF=81=E4=B9=A6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../internal/ssl_trusted_cert_storage.h       |  1 +
 platform/src/ssl_trusted_cert_storage.cpp     | 32 +++++++++++++++----
 2 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/platform/include/internal/ssl_trusted_cert_storage.h b/platform/include/internal/ssl_trusted_cert_storage.h
index 11daeee..d85d495 100644
--- a/platform/include/internal/ssl_trusted_cert_storage.h
+++ b/platform/include/internal/ssl_trusted_cert_storage.h
@@ -19,6 +19,7 @@ struct cert_verify_param
 	char no_verify_cn;
 	char no_verify_issuer;
 	char no_verify_expiry_date;
+	char real_untrust;
 };
 struct cert_verify_result
 {
diff --git a/platform/src/ssl_trusted_cert_storage.cpp b/platform/src/ssl_trusted_cert_storage.cpp
index 9072ea5..d9ff4fe 100644
--- a/platform/src/ssl_trusted_cert_storage.cpp
+++ b/platform/src/ssl_trusted_cert_storage.cpp
@@ -304,6 +304,7 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 			{
 				ret=1;
 			}
+			param->real_untrust |= 0x02;
 			break;
 		case	X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
 		case	X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
@@ -311,6 +312,7 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 			{
 				ret=1;
 			}
+			param->real_untrust |= 0x04;
 			break;
 		case	X509_V_ERR_CERT_NOT_YET_VALID:
 		case	X509_V_ERR_CERT_HAS_EXPIRED:
@@ -318,6 +320,7 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 			{
 				ret=1;
 			}
+			param->real_untrust |= 0x08;
 			break;
 		case	X509_V_ERR_UNABLE_TO_GET_CRL:
 		case	X509_V_ERR_DIFFERENT_CRL_SCOPE:
@@ -346,10 +349,20 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag
 		// The peer certificate chain is not necessarily available after reusing a session, in which case a NULL pointer is returned.
 		return 1;
 	}
+	param->real_untrust = 0;
 	X509 * cert = sk_X509_value(cert_chain, 0);
+
+	int hostmatched;
+	if (hostname)
+	{
+		hostmatched = X509_check_host(cert, hostname, strlen(hostname), 0, NULL);
+		if (hostmatched != 1)
+			param->real_untrust |= 0x01;
+	}
+
 	if(!param->no_verify_cn&&hostname)
 	{
-		result->is_hostmatched=X509_check_host(cert, hostname, strlen(hostname), 0, NULL);
+		result->is_hostmatched=hostmatched;
 	}
 	else
 	{
@@ -402,12 +415,17 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag
 		ret=1;
 	}
 
-	// case cert verify success
-	if (!param->no_verify_self_signed &&
-		!param->no_verify_cn &&
-		!param->no_verify_issuer &&
-		!param->no_verify_expiry_date &&
-		ret == 1) {
+	TFE_LOG_DEBUG(g_default_logger,
+		"sni:%s, cet_real_untrust:%d, verify_host_fail:%d, verify_issure_fail:%d, verify_self_signed_fail:%d, verify_expiry_date_fail:%d",
+		(hostname ? hostname : "NULL"),
+		((param->real_untrust & 0x0f) ? 1 : 0),
+		((param->real_untrust & 0x01) ? 1 : 0),
+		((param->real_untrust & 0x02) ? 1 : 0),
+		((param->real_untrust & 0x04) ? 1 : 0),
+		((param->real_untrust & 0x08) ? 1 : 0));
+
+	// case cert verify success 
+	if (param->real_untrust == 0) {
 		ssl_fetch_trusted_cert_from_chain(cert_chain, storage->effective_store, hostname);
 	}