gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-700 中间证书缓存条件,与证书校验开关无关,tfe按照x509/openssl的标准校验证书

Browse Source
This commit is contained in:
luwenpeng
2020-01-17 14:15:00 +08:00
parent adda5eca92
commit 9a58460460
2 changed files with 26 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
platform/src/ssl_trusted_cert_storage.cpp
View File

@@ -304,6 +304,7 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
{
ret=1;
}
param->real_untrust |= 0x02;
break;
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
@@ -311,6 +312,7 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
{
ret=1;
}
param->real_untrust |= 0x04;
break;
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_CERT_HAS_EXPIRED:
@@ -318,6 +320,7 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
{
ret=1;
}
param->real_untrust |= 0x08;
break;
case X509_V_ERR_UNABLE_TO_GET_CRL:
case X509_V_ERR_DIFFERENT_CRL_SCOPE:
@@ -346,10 +349,20 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag
// The peer certificate chain is not necessarily available after reusing a session, in which case a NULL pointer is returned.
return 1;
}
param->real_untrust = 0;
X509 * cert = sk_X509_value(cert_chain, 0);
int hostmatched;
if (hostname)
{
hostmatched = X509_check_host(cert, hostname, strlen(hostname), 0, NULL);
if (hostmatched != 1)
param->real_untrust |= 0x01;
}
if(!param->no_verify_cn&&hostname)
{
result->is_hostmatched=X509_check_host(cert, hostname, strlen(hostname), 0, NULL);
result->is_hostmatched=hostmatched;
}
else
{
@@ -402,12 +415,17 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag
ret=1;
}
// case cert verify success
if (!param->no_verify_self_signed &&
!param->no_verify_cn &&
!param->no_verify_issuer &&
!param->no_verify_expiry_date &&
ret == 1) {
TFE_LOG_DEBUG(g_default_logger,
"sni:%s, cet_real_untrust:%d, verify_host_fail:%d, verify_issure_fail:%d, verify_self_signed_fail:%d, verify_expiry_date_fail:%d",
(hostname ? hostname : "NULL"),
((param->real_untrust & 0x0f) ? 1 : 0),
((param->real_untrust & 0x01) ? 1 : 0),
((param->real_untrust & 0x02) ? 1 : 0),
((param->real_untrust & 0x04) ? 1 : 0),
((param->real_untrust & 0x08) ? 1 : 0));
// case cert verify success
if (param->real_untrust == 0) {
ssl_fetch_trusted_cert_from_chain(cert_chain, storage->effective_store, hostname);
}