gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

证书校验选项调试通过。

Browse Source
This commit is contained in:
zhengchao
2019-05-14 21:02:06 +08:00
parent f4f7a623a5
commit ae678d5128
2 changed files with 17 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
platform/src/ssl_stream.cpp
View File

@@ -43,9 +43,6 @@
static int SSL_EX_DATA_IDX_SSLMGR;
int SSL_PEER_CERT_VERIFY_PASSED=1;
int SSL_PEER_CERT_VERIFY_FAILED=0;
#define MAX_NET_RETRIES 50
#define LATENCY_WARNING_THRESHOLD_MS 1000
/*
@@ -388,7 +385,8 @@ void ssl_stat_init(struct ssl_mgr * mgr)
return;
}
static SSL * downstream_ssl_create(struct ssl_mgr * mgr, struct keyring * crt, const unsigned char* selected_alpn);
static SSL * upstream_ssl_create(struct ssl_mgr * mgr, const struct ssl_chello * chello, evutil_socket_t fd);
static SSL * upstream_ssl_create(struct ssl_mgr * mgr, struct ssl_stream* s_stream, evutil_socket_t fd);
static void sslctx_set_opts(SSL_CTX * sslctx, struct ssl_mgr * mgr);
struct ssl_chello * ssl_peek_result_release_chello(future_result_t * result)
@@ -418,8 +416,9 @@ struct ssl_stream * ssl_stream_new(struct ssl_mgr * mgr, evutil_socket_t fd, enu
break;
case CONN_DIR_UPSTREAM:
ATOMIC_INC(&(s_stream->mgr->stat_val[SSL_UP_NEW]));
s_stream->ssl = upstream_ssl_create(mgr, client_hello, fd);
s_stream->up_parts.verify_param.no_verify_expiry_date=1;
s_stream->up_parts.client_hello = client_hello;
s_stream->ssl = upstream_ssl_create(mgr, s_stream, fd);
break;
default: assert(0);
}
@@ -589,7 +588,6 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
//tfe2a uses SSLv23_method, it was been deprecated and replaced with the TLS_method() in openssl 1.1.0.
mgr->sslmethod = TLS_method;
SSL_EX_DATA_IDX_SSLMGR = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
MESA_load_profile_uint_def(ini_profile, section, "ssl_compression", &(mgr->sslcomp), 1);
MESA_load_profile_uint_def(ini_profile, section, "no_ssl2", &(mgr->no_ssl2), 1);
MESA_load_profile_uint_def(ini_profile, section, "no_ssl3", &(mgr->no_ssl3), 1);
@@ -786,12 +784,12 @@ static void ssl_async_peek_client_hello(struct future * f, evutil_socket_t fd, i
* Create new SSL context for outgoing connections to the original destination.
* If hostname sni is provided, use it for Server Name Indication.
*/
static SSL * upstream_ssl_create(struct ssl_mgr * mgr, const struct ssl_chello * chello, evutil_socket_t fd)
static SSL * upstream_ssl_create(struct ssl_mgr * mgr, struct ssl_stream* s_stream, evutil_socket_t fd)
{
SSL_CTX * sslctx = NULL;
SSL * ssl = NULL;
SSL_SESSION * sess = NULL;
struct ssl_chello * chello=s_stream->up_parts.client_hello;
sslctx = SSL_CTX_new(mgr->sslmethod());
sslctx_set_opts(sslctx, mgr);
int ret=0;

19
platform/src/ssl_trusted_cert_storage.cpp
View File

@@ -11,7 +11,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <assert.h>
static int SSL_EX_DATA_IDX_VERIFY_PARAM;
int SSL_EX_DATA_IDX_VERIFY_PARAM=-1;
struct ssl_X509_object
{
@@ -184,7 +184,8 @@ struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem
storage->pem_dir=tfe_strdup(pem_dir);
storage->hash_table=_create_mesa_htable();
pthread_rwlock_init(&(storage->rwlock), NULL);
SSL_EX_DATA_IDX_VERIFY_PARAM = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
assert(SSL_EX_DATA_IDX_VERIFY_PARAM<0);
SSL_EX_DATA_IDX_VERIFY_PARAM = X509_STORE_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
return storage;
@@ -273,9 +274,8 @@ void ssl_trusted_cert_storage_reset(struct ssl_trusted_cert_storage* storage)
return;
}
static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
{
int err, ret=0;
SSL* ssl;
{
int err=0, ret=0;
struct cert_verify_param* param=NULL;
if(preverify_ok)
@@ -287,8 +287,7 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
* Retrieve the pointer to the SSL of the connection currently treated
* and the application specific data stored into the SSL object.
*/
ssl = (SSL*)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
param = (struct cert_verify_param*)SSL_get_ex_data(ssl, SSL_EX_DATA_IDX_VERIFY_PARAM);
param = (struct cert_verify_param*)X509_STORE_CTX_get_ex_data(ctx, SSL_EX_DATA_IDX_VERIFY_PARAM);
switch(err)
{
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
@@ -333,8 +332,6 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag
return 1;
}
X509 * cert = sk_X509_value(cert_chain, 0);
SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_callback);
SSL_set_ex_data(ssl, SSL_EX_DATA_IDX_VERIFY_PARAM, param);
X509_STORE_CTX * ctx = X509_STORE_CTX_new();
pthread_rwlock_rdlock(&(storage->rwlock));
@@ -350,6 +347,10 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag
host_matched=1;
}
X509_STORE_CTX_set_verify_cb(ctx, verify_callback);
// SSL_set_ex_data(ssl, SSL_EX_DATA_IDX_VERIFY_PARAM, &(s_stream->up_parts.verify_param));
X509_STORE_CTX_set_ex_data(ctx, SSL_EX_DATA_IDX_VERIFY_PARAM, param);
//If a complete chain can be built and validated this function returns 1, otherwise it return zero or negtive code.
ret = X509_verify_cert(ctx);
err_code=X509_STORE_CTX_get_error(ctx);