gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

证书校验选项调试通过。

Browse Source
This commit is contained in:
zhengchao
2019-05-14 21:02:06 +08:00
parent f4f7a623a5
commit ae678d5128
2 changed files with 17 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
platform/src/ssl_stream.cpp
View File

@@ -43,9 +43,6 @@
static int SSL_EX_DATA_IDX_SSLMGR; static int SSL_EX_DATA_IDX_SSLMGR;
int SSL_PEER_CERT_VERIFY_PASSED=1;
int SSL_PEER_CERT_VERIFY_FAILED=0;
#define MAX_NET_RETRIES 50 #define MAX_NET_RETRIES 50
#define LATENCY_WARNING_THRESHOLD_MS 1000 #define LATENCY_WARNING_THRESHOLD_MS 1000
/* /*
@@ -388,7 +385,8 @@ void ssl_stat_init(struct ssl_mgr * mgr)
return; return;
} }
static SSL * downstream_ssl_create(struct ssl_mgr * mgr, struct keyring * crt, const unsigned char* selected_alpn); static SSL * downstream_ssl_create(struct ssl_mgr * mgr, struct keyring * crt, const unsigned char* selected_alpn);
static SSL * upstream_ssl_create(struct ssl_mgr * mgr, const struct ssl_chello * chello, evutil_socket_t fd); static SSL * upstream_ssl_create(struct ssl_mgr * mgr, struct ssl_stream* s_stream, evutil_socket_t fd);
static void sslctx_set_opts(SSL_CTX * sslctx, struct ssl_mgr * mgr); static void sslctx_set_opts(SSL_CTX * sslctx, struct ssl_mgr * mgr);
struct ssl_chello * ssl_peek_result_release_chello(future_result_t * result) struct ssl_chello * ssl_peek_result_release_chello(future_result_t * result)
@@ -418,8 +416,9 @@ struct ssl_stream * ssl_stream_new(struct ssl_mgr * mgr, evutil_socket_t fd, enu
break; break;
case CONN_DIR_UPSTREAM: case CONN_DIR_UPSTREAM:
ATOMIC_INC(&(s_stream->mgr->stat_val[SSL_UP_NEW])); ATOMIC_INC(&(s_stream->mgr->stat_val[SSL_UP_NEW]));
s_stream->ssl = upstream_ssl_create(mgr, client_hello, fd); s_stream->up_parts.verify_param.no_verify_expiry_date=1;
s_stream->up_parts.client_hello = client_hello; s_stream->up_parts.client_hello = client_hello;
s_stream->ssl = upstream_ssl_create(mgr, s_stream, fd);
break; break;
default: assert(0); default: assert(0);
} }
@@ -589,7 +588,6 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
//tfe2a uses SSLv23_method, it was been deprecated and replaced with the TLS_method() in openssl 1.1.0. //tfe2a uses SSLv23_method, it was been deprecated and replaced with the TLS_method() in openssl 1.1.0.
mgr->sslmethod = TLS_method; mgr->sslmethod = TLS_method;
SSL_EX_DATA_IDX_SSLMGR = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL); SSL_EX_DATA_IDX_SSLMGR = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
MESA_load_profile_uint_def(ini_profile, section, "ssl_compression", &(mgr->sslcomp), 1); MESA_load_profile_uint_def(ini_profile, section, "ssl_compression", &(mgr->sslcomp), 1);
MESA_load_profile_uint_def(ini_profile, section, "no_ssl2", &(mgr->no_ssl2), 1); MESA_load_profile_uint_def(ini_profile, section, "no_ssl2", &(mgr->no_ssl2), 1);
MESA_load_profile_uint_def(ini_profile, section, "no_ssl3", &(mgr->no_ssl3), 1); MESA_load_profile_uint_def(ini_profile, section, "no_ssl3", &(mgr->no_ssl3), 1);
@@ -786,12 +784,12 @@ static void ssl_async_peek_client_hello(struct future * f, evutil_socket_t fd, i
* Create new SSL context for outgoing connections to the original destination. * Create new SSL context for outgoing connections to the original destination.
* If hostname sni is provided, use it for Server Name Indication. * If hostname sni is provided, use it for Server Name Indication.
*/ */
static SSL * upstream_ssl_create(struct ssl_mgr * mgr, const struct ssl_chello * chello, evutil_socket_t fd) static SSL * upstream_ssl_create(struct ssl_mgr * mgr, struct ssl_stream* s_stream, evutil_socket_t fd)
{ {
SSL_CTX * sslctx = NULL; SSL_CTX * sslctx = NULL;
SSL * ssl = NULL; SSL * ssl = NULL;
SSL_SESSION * sess = NULL; SSL_SESSION * sess = NULL;
struct ssl_chello * chello=s_stream->up_parts.client_hello;
sslctx = SSL_CTX_new(mgr->sslmethod()); sslctx = SSL_CTX_new(mgr->sslmethod());
sslctx_set_opts(sslctx, mgr); sslctx_set_opts(sslctx, mgr);
int ret=0; int ret=0;

17
platform/src/ssl_trusted_cert_storage.cpp
View File

@@ -11,7 +11,7 @@
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <assert.h> #include <assert.h>
static int SSL_EX_DATA_IDX_VERIFY_PARAM; int SSL_EX_DATA_IDX_VERIFY_PARAM=-1;
struct ssl_X509_object struct ssl_X509_object
{ {
@@ -184,7 +184,8 @@ struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem
storage->pem_dir=tfe_strdup(pem_dir); storage->pem_dir=tfe_strdup(pem_dir);
storage->hash_table=_create_mesa_htable(); storage->hash_table=_create_mesa_htable();
pthread_rwlock_init(&(storage->rwlock), NULL); pthread_rwlock_init(&(storage->rwlock), NULL);
SSL_EX_DATA_IDX_VERIFY_PARAM = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); assert(SSL_EX_DATA_IDX_VERIFY_PARAM<0);
SSL_EX_DATA_IDX_VERIFY_PARAM = X509_STORE_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
return storage; return storage;
@@ -274,8 +275,7 @@ void ssl_trusted_cert_storage_reset(struct ssl_trusted_cert_storage* storage)
} }
static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
{ {
int err, ret=0; int err=0, ret=0;
SSL* ssl;
struct cert_verify_param* param=NULL; struct cert_verify_param* param=NULL;
if(preverify_ok) if(preverify_ok)
@@ -287,8 +287,7 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
* Retrieve the pointer to the SSL of the connection currently treated * Retrieve the pointer to the SSL of the connection currently treated
* and the application specific data stored into the SSL object. * and the application specific data stored into the SSL object.
*/ */
ssl = (SSL*)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); param = (struct cert_verify_param*)X509_STORE_CTX_get_ex_data(ctx, SSL_EX_DATA_IDX_VERIFY_PARAM);
param = (struct cert_verify_param*)SSL_get_ex_data(ssl, SSL_EX_DATA_IDX_VERIFY_PARAM);
switch(err) switch(err)
{ {
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
@@ -333,8 +332,6 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag
return 1; return 1;
} }
X509 * cert = sk_X509_value(cert_chain, 0); X509 * cert = sk_X509_value(cert_chain, 0);
SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_callback);
SSL_set_ex_data(ssl, SSL_EX_DATA_IDX_VERIFY_PARAM, param);
X509_STORE_CTX * ctx = X509_STORE_CTX_new(); X509_STORE_CTX * ctx = X509_STORE_CTX_new();
pthread_rwlock_rdlock(&(storage->rwlock)); pthread_rwlock_rdlock(&(storage->rwlock));
@@ -350,6 +347,10 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag
host_matched=1; host_matched=1;
} }
X509_STORE_CTX_set_verify_cb(ctx, verify_callback);
// SSL_set_ex_data(ssl, SSL_EX_DATA_IDX_VERIFY_PARAM, &(s_stream->up_parts.verify_param));
X509_STORE_CTX_set_ex_data(ctx, SSL_EX_DATA_IDX_VERIFY_PARAM, param);
//If a complete chain can be built and validated this function returns 1, otherwise it return zero or negtive code. //If a complete chain can be built and validated this function returns 1, otherwise it return zero or negtive code.
ret = X509_verify_cert(ctx); ret = X509_verify_cert(ctx);
err_code=X509_STORE_CTX_get_error(ctx); err_code=X509_STORE_CTX_get_error(ctx);