gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feature (adapt maat): keyring type changed from int to uuid_string when using RPC with cerstore

Browse Source
This commit is contained in:
luwenpeng
2024-09-25 17:55:12 +08:00
parent 0461a12216
commit a571c85b47
3 changed files with 15 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
platform/include/internal/key_keeper.h
View File

@@ -27,7 +27,7 @@ void key_keeper_free_keyring(struct keyring* cert);
struct evhttp_connection* key_keeper_evhttp_init(struct event_base * evbase, struct evdns_base* dnsbase, struct key_keeper * key_keeper_handler); struct evhttp_connection* key_keeper_evhttp_init(struct event_base * evbase, struct evdns_base* dnsbase, struct key_keeper * key_keeper_handler);
void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const char* sni, int keyring_id, void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const char* sni, uuid_t *keyring_uuid,
X509 * origin_cert, int is_cert_valid, struct event_base * evbase, struct evdns_base* dnsbase, struct evhttp_connection *evhttp); X509 * origin_cert, int is_cert_valid, struct event_base * evbase, struct evdns_base* dnsbase, struct evhttp_connection *evhttp);
void key_keeper_statistic(struct key_keeper *keeper, struct key_keeper_stat* result); void key_keeper_statistic(struct key_keeper *keeper, struct key_keeper_stat* result);

18
platform/src/key_keeper.cpp
View File

@@ -678,7 +678,7 @@ struct keyring* key_keeper_release_keyring(future_result_t* result)
return &(kyr->head); return &(kyr->head);
} }
static uchar* get_key_by_cert(X509* cert, int keyring_id, unsigned int* len, int is_cert_valid) static uchar* get_key_by_cert(X509* cert, const char *keyring_uuid_str, unsigned int* len, int is_cert_valid)
{ {
if(cert == NULL) if(cert == NULL)
{ {
@@ -692,7 +692,7 @@ static uchar* get_key_by_cert(X509* cert, int keyring_id, unsigned int* len, int
} }
char* key = ALLOC(char, HTABLE_MAX_KEY_LEN); char* key = ALLOC(char, HTABLE_MAX_KEY_LEN);
memset(key, 0, HTABLE_MAX_KEY_LEN); memset(key, 0, HTABLE_MAX_KEY_LEN);
snprintf(key, HTABLE_MAX_KEY_LEN, "%d:%d:", keyring_id, is_cert_valid); snprintf(key, HTABLE_MAX_KEY_LEN, "%d:%d:", keyring_uuid_str, is_cert_valid);
strncat(key, cert_fingerprint, HTABLE_MAX_KEY_LEN); strncat(key, cert_fingerprint, HTABLE_MAX_KEY_LEN);
*len = strnlen(key, HTABLE_MAX_KEY_LEN); *len = strnlen(key, HTABLE_MAX_KEY_LEN);
free(cert_fingerprint); free(cert_fingerprint);
@@ -716,11 +716,13 @@ char* url_escape(char* url)
return _url; return _url;
} }
void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const char* sni, int keyring_id, X509 * origin_cert, int is_cert_valid, struct event_base * evbase, struct evdns_base* dnsbase, struct evhttp_connection *evhttp) void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const char* sni, uuid_t *keyring_uuid, X509 * origin_cert, int is_cert_valid, struct event_base * evbase, struct evdns_base* dnsbase, struct evhttp_connection *evhttp)
{ {
struct promise* p = future_to_promise(f); struct promise* p = future_to_promise(f);
unsigned int len = 0; unsigned int len = 0;
uchar* key = get_key_by_cert(origin_cert, keyring_id, &len, is_cert_valid); char keyring_uuid_str[UUID_STRING_SIZE];
uuid_unparse(*keyring_uuid, keyring_uuid_str);
uchar* key = get_key_by_cert(origin_cert, keyring_uuid_str, &len, is_cert_valid);
if(key == NULL) if(key == NULL)
{ {
promise_failed(p, FUTURE_ERROR_EXCEPTION, "get hash key by_cert failed"); promise_failed(p, FUTURE_ERROR_EXCEPTION, "get hash key by_cert failed");
@@ -771,13 +773,13 @@ void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const c
//keyring_id = 1; //keyring_id = 1;
if(sni == NULL || sni[0] == '\0') if(sni == NULL || sni[0] == '\0')
{ {
asprintf(&url, "http://%s:%d/ca?keyring_id=%d&is_valid=%d", asprintf(&url, "http://%s:%d/ca?keyring_id=%s&is_valid=%d",
keeper->cert_store_host, keeper->cert_store_port, keyring_id, is_cert_valid); keeper->cert_store_host, keeper->cert_store_port, keyring_uuid_str, is_cert_valid);
} }
else else
{ {
asprintf(&url, "http://%s:%d/ca?keyring_id=%d&sni=%s&is_valid=%d", asprintf(&url, "http://%s:%d/ca?keyring_id=%s&sni=%s&is_valid=%d",
keeper->cert_store_host, keeper->cert_store_port, keyring_id, sni, is_cert_valid); keeper->cert_store_host, keeper->cert_store_port, keyring_uuid_str, sni, is_cert_valid);
} }
TFE_LOG_DEBUG(keeper->logger, "CertStore query: %.100s", url); TFE_LOG_DEBUG(keeper->logger, "CertStore query: %.100s", url);
tfe_rpc_async_ask(f_certstore_rpc, url, POST, DONE_CB, origin_cert_pem, strlen(origin_cert_pem), evbase, dnsbase, evhttp); tfe_rpc_async_ask(f_certstore_rpc, url, POST, DONE_CB, origin_cert_pem, strlen(origin_cert_pem), evbase, dnsbase, evhttp);

8
platform/src/ssl_stream.cpp
View File

@@ -2036,16 +2036,16 @@ void ssl_async_downstream_create(struct future * f, struct ssl_mgr * mgr, struct
ctx->f_ask_keyring = future_create("ask_kyr",ask_keyring_on_succ, ask_keyring_on_fail, p); ctx->f_ask_keyring = future_create("ask_kyr",ask_keyring_on_succ, ask_keyring_on_fail, p);
ctx->is_origin_crt_verify_passed = upstream->up_parts.is_server_cert_verify_passed; ctx->is_origin_crt_verify_passed = upstream->up_parts.is_server_cert_verify_passed;
int keyring_id = 0; uuid_t *keyring_uuid = NULL;
if (ctx->is_origin_crt_verify_passed) if (ctx->is_origin_crt_verify_passed)
{ {
keyring_id = upstream->up_parts.keyring_for_trusted; keyring_uuid = &upstream->up_parts.keyring_for_trusted;
} }
else else
{ {
keyring_id = upstream->up_parts.keyring_for_untrusted; keyring_uuid = &upstream->up_parts.keyring_for_untrusted;
} }
key_keeper_async_ask(ctx->f_ask_keyring, mgr->key_keeper, sni, keyring_id, ctx->origin_crt, ctx->is_origin_crt_verify_passed, key_keeper_async_ask(ctx->f_ask_keyring, mgr->key_keeper, sni, keyring_uuid, ctx->origin_crt, ctx->is_origin_crt_verify_passed,
evbase, dnsbase, evhttp); evbase, dnsbase, evhttp);
return; return;
} }