diff --git a/common/src/tfe_future.cpp b/common/src/tfe_future.cpp index 9e39a17..c398d0d 100644 --- a/common/src/tfe_future.cpp +++ b/common/src/tfe_future.cpp @@ -109,19 +109,20 @@ static long field_get_set_cb(void * data, const uchar * key, uint size, void * u if(data==NULL) { field_id=(int*)malloc(sizeof(int)*2); - field_id[0]=FS_register(args->fs_handle, FS_STYLE_HISTOGRAM, FS_CALC_SPEED, (const char * )key); - args->fsid_failed=field_id[0]; + snprintf(buff,sizeof(buff),"%s(ms)",(char*)key); + field_id[0]=FS_register(args->fs_handle, FS_STYLE_HISTOGRAM, FS_CALC_CURRENT, buff); + args->fsid_latency=field_id[0]; snprintf(buff,sizeof(buff),"%s%s",(char*)key,fail_str); field_id[1]=FS_register(args->fs_handle, FS_STYLE_FIELD, FS_CALC_SPEED,buff); - args->fsid_latency=field_id[1]; + args->fsid_failed=field_id[1]; ret = MESA_htable_add(args->htable, key, size, (void*)field_id); - assert(ret==0); + assert(ret>=0); } else { field_id=(int*)data; - args->fsid_failed=field_id[0]; - args->fsid_latency=field_id[1]; + args->fsid_latency=field_id[0]; + args->fsid_failed=field_id[1]; } return 0; } @@ -137,7 +138,7 @@ struct future * future_create(const char* symbol, future_success_cb * cb_success clock_gettime(CLOCK_MONOTONIC,&p->debug.create_time); void * no_use = NULL; long cb_ret=0; - struct field_get_set_args args{.htable = g_FP_instance.name_table, .fs_handle = g_FP_instance.fs_handle}; + struct field_get_set_args args={.htable = g_FP_instance.name_table, .fs_handle = g_FP_instance.fs_handle}; no_use=MESA_htable_search_cb(g_FP_instance.name_table, (const unsigned char*)symbol, strlen(symbol), field_get_set_cb, &args, &cb_ret); p->debug.fsid_latency=args.fsid_latency; p->debug.fsid_failed=args.fsid_failed; @@ -165,7 +166,7 @@ void future_destroy(struct future * f) static void fp_stat_latency(struct _future_promise_debug* debug, int is_success) { struct timespec end; - long long jiffies=0; + long long jiffies_ms=0; clock_gettime(CLOCK_MONOTONIC,&end); if(is_success==1) { @@ -177,19 +178,21 @@ static void fp_stat_latency(struct _future_promise_debug* debug, int is_success) } if(debug->succ_times<=1) { - jiffies=(end.tv_sec-debug->create_time.tv_sec)*1000000000+end.tv_nsec-debug->create_time.tv_nsec; - FS_operate(g_FP_instance.fs_handle, debug->fsid_latency, 0, FS_OP_SET, jiffies); + jiffies_ms=(end.tv_sec-debug->create_time.tv_sec)*1000+(end.tv_nsec-debug->create_time.tv_nsec)/1000000; + FS_operate(g_FP_instance.fs_handle, debug->fsid_latency, 0, FS_OP_SET, jiffies_ms); } return; } void promise_failed(struct promise * p, enum e_future_error error, const char * what) { + fp_stat_latency(&p->debug, 0); p->f.cb_failed(error, what, p->f.user); return; } void promise_success(struct promise * p, void * result) { + fp_stat_latency(&p->debug, 1); p->f.cb_success(result, p->f.user); return; } diff --git a/platform/include/internal/key_keeper.h b/platform/include/internal/key_keeper.h index 4211a73..ab41b4c 100644 --- a/platform/include/internal/key_keeper.h +++ b/platform/include/internal/key_keeper.h @@ -13,40 +13,16 @@ struct keyring STACK_OF(X509) * chain; }; -struct key_keeper -{ - unsigned int mode; - char cert_store_host[TFE_STRING_MAX]; - unsigned int cert_store_port; - MESA_htable_handle htable; - void* logger; -}; +struct key_keeper; struct key_keeper * key_keeper_init(const char * profile, const char* section, void* logger); -struct key_keeper * key_keeper_destroy(struct key_keeper *keeper); +void key_keeper_destroy(struct key_keeper *keeper); -struct keyring* key_keeper_release_cert(future_result_t* result); - -struct keyring* key_keeper_keyring_new(void); - -struct keyring* key_keeper_keyring_new3(EVP_PKEY *key, X509 *cert, STACK_OF(X509) *chain); +struct keyring* key_keeper_release_keyring(future_result_t* result); void key_keeper_free_keyring(struct keyring* cert); -void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, int keyring_id, - X509 * origin_cert, int is_cert_valid, struct event_base * evbase); - -void key_keeper_keyring_refcount_inc(struct keyring* ring); - -void key_keeper_keyring_set_cert(struct keyring* ring, X509 *cert); - -void key_keeper_keyring_set_key(struct keyring* ring, EVP_PKEY *key); - -void key_keeper_keyring_set_chain(struct keyring* ring, STACK_OF(X509) *chain); - -static void key_keeper_free_serialized(); - -static void key_keeper_verify_cb(); - +void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const char* sni, int keyring_id, + X509 * origin_cert, int is_cert_valid, struct event_base * evbase); diff --git a/platform/src/key_keeper.cpp b/platform/src/key_keeper.cpp index 59f00b1..1655a9a 100644 --- a/platform/src/key_keeper.cpp +++ b/platform/src/key_keeper.cpp @@ -10,6 +10,15 @@ #define KEYRING_EXSITED 0 #define KEYRING_NOT_EXSITED -1 +struct key_keeper +{ + unsigned int mode; + char cert_store_host[TFE_STRING_MAX]; + unsigned int cert_store_port; + MESA_htable_handle htable; + void* logger; +}; + enum KEY_KEEPER_MODE{ NORMAL = 0, DEBUG, @@ -32,64 +41,34 @@ struct key_keeper_promise_ctx static const uchar* get_key_by_cert(X509* cert, int keyring_id, unsigned int* len); -static long htable_search_cb(void * data, const uchar * key, uint size, void * user_arg); - -static int __wrapper_MESA_htable_set_opt(MESA_htable_handle table, enum MESA_htable_opt opt_type, unsigned int value); - -static MESA_htable_handle create_hash_table(unsigned int slot_size, unsigned int expire_seconds); - -static struct keyring* generate_x509_cert(X509* origin_cert, int keyring_id, const char* filename); - -static void tfe_rpc_on_succ(void* result, void* user); - -static void tfe_rpc_on_fail(enum e_future_error err, const char * what, void * user); - -static void ctx_destory_cb(struct promise* p); - -static X509* get_cert_from_response(const char* data, int len, void* logger); - -static EVP_PKEY* get_key_from_response(const char* data, int len, void* logger); - -static STACK_OF(X509)* get_chain_from_response(const char* data, int len, void* logger); -/* - * Certificate, including private key and keyring chain. - */ -struct keyring* -key_keeper_keyring_new(void) +static struct keyring_private* keyring_new(void) { - struct keyring_private *keyring; - if (!(keyring = (struct keyring_private *)ALLOC(struct keyring_private, 1))) + struct keyring_private *kyr; + if (!(kyr = (struct keyring_private *)ALLOC(struct keyring_private, 1))) { return NULL; } - if (pthread_mutex_init(&keyring->mutex, NULL)) { - free(keyring); + if (pthread_mutex_init(&kyr->mutex, NULL)) { + free(kyr); return NULL; } - keyring->references = 1; - return &(keyring->head); + kyr->references = 1; + return kyr; } /* * Passed OpenSSL objects are owned by cert_t; refcount will not be * incremented, stack will not be duplicated. */ -struct keyring* -key_keeper_keyring_new3(EVP_PKEY *key, X509 *cert, STACK_OF(X509) *chain) +struct keyring* keyring_new3(EVP_PKEY *key, X509 *cert, STACK_OF(X509) *chain) { - struct keyring_private* keyring; - if (!(keyring = (struct keyring_private *)ALLOC(struct keyring_private, 1))) - { - return NULL; - } - if (pthread_mutex_init(&keyring->mutex, NULL)) { - free(keyring); - return NULL; - } - keyring->references = 1; - (keyring->head).key = key; - (keyring->head).cert = cert; - (keyring->head).chain = chain; + struct keyring_private* kyr=NULL; + kyr=keyring_new(); + + kyr->references = 1; + (kyr->head).key = key; + (kyr->head).cert = cert; + (kyr->head).chain = chain; if(key) { ssl_key_refcount_inc(key); @@ -105,111 +84,213 @@ key_keeper_keyring_new3(EVP_PKEY *key, X509 *cert, STACK_OF(X509) *chain) ssl_x509_refcount_inc(sk_X509_value(chain, i)); } } - return &(keyring->head); + return &(kyr->head); } // Increment reference count. -void -key_keeper_keyring_refcount_inc(struct keyring* ring) +void keyring_ref_inc(struct keyring_private* kyr) { - struct keyring_private* keyring = (struct keyring_private*)ring; - pthread_mutex_lock(&keyring->mutex); - keyring->references++; - pthread_mutex_unlock(&keyring->mutex); + pthread_mutex_lock(&kyr->mutex); + kyr->references++; + pthread_mutex_unlock(&kyr->mutex); } /* * Thread-safe setter functions; they copy the value (refcounts are inc'd). */ -void -key_keeper_keyring_set_key(struct keyring* ring, EVP_PKEY *key) +static void keyring_set_key(struct keyring_private* kyr, EVP_PKEY *key) { - struct keyring_private* keyring = (struct keyring_private*)ring; - pthread_mutex_lock(&keyring->mutex); - if ((keyring->head).key) + pthread_mutex_lock(&kyr->mutex); + if ((kyr->head).key) { - EVP_PKEY_free((keyring->head).key); + EVP_PKEY_free((kyr->head).key); } - (keyring->head).key = key; + (kyr->head).key = key; if (key) { - ssl_key_refcount_inc((keyring->head).key); + ssl_key_refcount_inc((kyr->head).key); } - pthread_mutex_unlock(&keyring->mutex); + pthread_mutex_unlock(&kyr->mutex); } -void -key_keeper_keyring_set_cert(struct keyring* ring, X509 *cert) +static void keyring_set_cert(struct keyring_private* kry, X509 *cert) { - struct keyring_private* keyring = (struct keyring_private*)ring; - pthread_mutex_lock(&keyring->mutex); - if ((keyring->head).cert) + pthread_mutex_lock(&kry->mutex); + if ((kry->head).cert) { - X509_free((keyring->head).cert); + X509_free((kry->head).cert); } - (keyring->head).cert = cert; + (kry->head).cert = cert; if (cert) { - ssl_x509_refcount_inc((keyring->head).cert); + ssl_x509_refcount_inc((kry->head).cert); } - pthread_mutex_unlock(&keyring->mutex); + pthread_mutex_unlock(&kry->mutex); } -void -key_keeper_keyring_set_chain(struct keyring* ring, STACK_OF(X509) *chain) +static void keyring_set_chain(struct keyring_private* kyr, STACK_OF(X509) *chain) { - struct keyring_private* keyring = (struct keyring_private*)ring; - pthread_mutex_lock(&keyring->mutex); - if ((keyring->head).chain) + pthread_mutex_lock(&kyr->mutex); + if ((kyr->head).chain) { - sk_X509_pop_free((keyring->head).chain, X509_free); + sk_X509_pop_free((kyr->head).chain, X509_free); } if (chain) { - (keyring->head).chain = sk_X509_dup(chain); + (kyr->head).chain = sk_X509_dup(chain); int i = 0; - for (i = 0; i < sk_X509_num((keyring->head).chain); i++) + for (i = 0; i < sk_X509_num((kyr->head).chain); i++) { - ssl_x509_refcount_inc(sk_X509_value((keyring->head).chain, i)); + ssl_x509_refcount_inc(sk_X509_value((kyr->head).chain, i)); } } else { - (keyring->head).chain = NULL; + (kyr->head).chain = NULL; } - pthread_mutex_unlock(&keyring->mutex); + pthread_mutex_unlock(&kyr->mutex); } /* * Free keyring including internal objects. */ -void -key_keeper_free_keyring(struct keyring *ring) +void key_keeper_free_keyring(struct keyring *kyr) { - struct keyring_private* keyring = (struct keyring_private*)ring; - pthread_mutex_lock(&keyring->mutex); - keyring->references--; - if (keyring->references) + struct keyring_private* _kyr = (struct keyring_private*)kyr; + pthread_mutex_lock(&_kyr->mutex); + _kyr->references--; + if (_kyr->references>0) { - pthread_mutex_unlock(&keyring->mutex); + pthread_mutex_unlock(&_kyr->mutex); return; } - pthread_mutex_unlock(&keyring->mutex); - pthread_mutex_destroy(&keyring->mutex); - if ((keyring->head).key) + pthread_mutex_unlock(&_kyr->mutex); + pthread_mutex_destroy(&_kyr->mutex); + if ((_kyr->head).key) { - EVP_PKEY_free((keyring->head).key); + EVP_PKEY_free((_kyr->head).key); + (_kyr->head).key=NULL; } - if ((keyring->head).cert) + if ((_kyr->head).cert) { - X509_free((keyring->head).cert); + X509_free((_kyr->head).cert); + (_kyr->head).cert=NULL; } - if ((keyring->head).chain) + if ((_kyr->head).chain) { - sk_X509_pop_free((keyring->head).chain, X509_free); + sk_X509_pop_free((_kyr->head).chain, X509_free); + (_kyr->head).chain=NULL; } - free(keyring); + free(_kyr); } +static long keyring_local_cache_query_cb(void * data, const uchar * key, uint size, void * user_arg) +{ + //data is (struct keyring*) + struct keyring_private* kyr=(struct keyring_private*)data; + if(kyr == NULL) + { + return KEYRING_NOT_EXSITED; + } + else + { + struct promise* p = (struct promise*)user_arg; + promise_success(p, data); + return KEYRING_EXSITED; + } +} +static void certstore_rpc_on_fail(enum e_future_error err, const char * what, void * user) +{ + struct promise * p = (struct promise *) user; + promise_failed(p, err, what); +} +static struct keyring_private* generate_x509_keyring(X509* origin_cert, int keyring_id, const char* filename) +{ + X509* ca = ssl_x509_load(filename); + EVP_PKEY* cakey = ssl_key_load(filename); + EVP_PKEY* forge_key = ssl_key_genrsa(1024); + X509* forge_cert = ssl_x509_forge(ca, cakey, origin_cert, forge_key, NULL, NULL); + STACK_OF(X509)* chain = sk_X509_new_null(); + sk_X509_push(chain, ca); + sk_X509_push(chain, forge_cert); + struct keyring_private* ring= keyring_new(); + keyring_set_key(ring, forge_key); + keyring_set_cert(ring, forge_cert); + keyring_set_chain(ring, chain); + return ring; +} +//how to free +static X509* get_cert_from_response(const char* data, int len, void* logger) +{ + BIO *bio; + X509 *cert; + bio = BIO_new(BIO_s_mem()); + BIO_write(bio, (const void*)data, len); + cert = PEM_read_bio_X509(bio, NULL, NULL, NULL); + return cert; +} + +static EVP_PKEY* get_key_from_response(const char* data, int len, void* logger) +{ + +} + + +static STACK_OF(X509)* get_chain_from_response(const char* data, int len, void* logger) +{ + +} + +static void certstore_rpc_on_succ(void* result, void* user) +{ + struct promise * p = (struct promise *) user; + struct key_keeper_promise_ctx* ctx = (struct key_keeper_promise_ctx*)promise_get_ctx(p); + void* logger = ctx->logger; + MESA_htable_handle htable= ctx->htable; + const uchar* key = ctx->key; + unsigned int key_len = ctx->key_len; + //transform to x509 + struct tfe_rpc_response_result* response = tfe_rpc_release(result); + int status_code = response->status_code; + const char* status_msg = response->status_msg; + const char* data = response->data; + int len = response->len; + if(status_code == HTTP_OK) + { + struct keyring_private* ring= keyring_new(); + X509* forge_cert = get_cert_from_response(data, len, NULL); + EVP_PKEY* forge_key = get_key_from_response(data, len, NULL); + STACK_OF(X509)* chain = get_chain_from_response(data, len, NULL); + keyring_set_key(ring, forge_key); + keyring_set_cert(ring, forge_cert); + keyring_set_chain(ring, chain); + promise_success(p, (void*)ring); + + keyring_ref_inc(ring); + int ret = MESA_htable_add(htable, key, key_len, (void*)ring); + if(ret<0) + { + key_keeper_free_keyring((struct keyring*)ring); + } + } + else + { + promise_failed(p, FUTURE_ERROR_EXCEPTION, status_msg); + } +} + + +static int __wrapper_MESA_htable_set_opt(MESA_htable_handle table, enum MESA_htable_opt opt_type, unsigned int value); + +static MESA_htable_handle create_hash_table(unsigned int slot_size, unsigned int expire_seconds); + +static STACK_OF(X509)* get_chain_from_response(const char* data, int len, void* logger); +/* + * Certificate, including private key and keyring chain. + */ + + + + static void key_keeper_free_serialized() { return; @@ -235,79 +316,22 @@ key_keeper_init(const char * profile, const char* section, void* logger) return keeper; } -//return void ?? -struct key_keeper * -key_keeper_destroy(struct key_keeper *keeper) +void key_keeper_destroy(struct key_keeper *keeper) { free(keeper); keeper = NULL; - return keeper; + return; } -struct keyring* -key_keeper_release_cert(future_result_t* result) +struct keyring* key_keeper_release_keyring(future_result_t* result) { - return (struct keyring*)result; -} - -static struct keyring* -generate_x509_cert(X509* origin_cert, int keyring_id, const char* filename) -{ - X509* ca = ssl_x509_load(filename); - EVP_PKEY* cakey = ssl_key_load(filename); - EVP_PKEY* forge_key = ssl_key_genrsa(1024); - X509* forge_cert = ssl_x509_forge(ca, cakey, origin_cert, forge_key, NULL, NULL); - STACK_OF(X509)* chain = sk_X509_new_null(); - sk_X509_push(chain, ca); - sk_X509_push(chain, forge_cert); - struct keyring* ring= key_keeper_keyring_new(); - key_keeper_keyring_set_key(ring, forge_key); - key_keeper_keyring_set_cert(ring, forge_cert); - key_keeper_keyring_set_chain(ring, chain); - return ring; -} - -static void -tfe_rpc_on_succ(void* result, void* user) -{ - struct promise * p = (struct promise *) user; - struct key_keeper_promise_ctx* ctx = (struct key_keeper_promise_ctx*)promise_get_ctx(p); - void* logger = ctx->logger; - MESA_htable_handle htable= ctx->htable; - const uchar* key = ctx->key; - unsigned int key_len = ctx->key_len; - //transform to x509 - struct tfe_rpc_response_result* response = tfe_rpc_release(result); - int status_code = response->status_code; - const char* status_msg = response->status_msg; - const char* data = response->data; - int len = response->len; - if(status_code == HTTP_OK) - { - struct keyring* ring= key_keeper_keyring_new(); - X509* forge_cert = get_cert_from_response(data, len, NULL); - EVP_PKEY* forge_key = get_key_from_response(data, len, NULL); - STACK_OF(X509)* chain = get_chain_from_response(data, len, NULL); - key_keeper_keyring_set_key(ring, forge_key); - key_keeper_keyring_set_cert(ring, forge_cert); - key_keeper_keyring_set_chain(ring, chain); - promise_success(p, (void*)ring); - int ret = MESA_htable_add(htable, key, key_len, (void*)ring); - assert(ret >= 0); - } - else - { - promise_failed(p, FUTURE_ERROR_EXCEPTION, status_msg); - } + struct keyring_private* kyr=(struct keyring_private*)result; + keyring_ref_inc(kyr); + return &(kyr->head); } -static void -tfe_rpc_on_fail(enum e_future_error err, const char * what, void * user) -{ - struct promise * p = (struct promise *) user; - promise_failed(p, err, what); -} + static void ctx_destory_cb(struct promise* p) @@ -316,7 +340,7 @@ static void ctx_destory_cb(struct promise* p) } //TODO: cert_not_valid -void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, int keyring_id, X509 * origin_cert, int is_cert_valid, struct event_base * evbase) +void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const char* sni, int keyring_id, X509 * origin_cert, int is_cert_valid, struct event_base * evbase) { //get subject name from cert @@ -331,7 +355,7 @@ void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, int key ctx->key_len = len; promise_set_ctx(p, (void*)ctx, ctx_destory_cb); long int cb_rtn = 0; - MESA_htable_search_cb(ctx->htable, (const unsigned char*)(ctx->key), ctx->key_len, htable_search_cb, p, &cb_rtn); + MESA_htable_search_cb(ctx->htable, (const unsigned char*)(ctx->key), ctx->key_len, keyring_local_cache_query_cb, p, &cb_rtn); printf(cb_rtn == KEYRING_EXSITED ? "KEYRING_EXSITED\n": "KEYRING_NOT_EXSITED\n"); if(cb_rtn == KEYRING_EXSITED) { @@ -342,7 +366,7 @@ void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, int key switch(mode){ case NORMAL: { - struct future* f_tfe_rpc = future_create("tfe_rpc", tfe_rpc_on_succ, tfe_rpc_on_fail, p); + struct future* f_tfe_rpc = future_create("tfe_rpc", certstore_rpc_on_succ, certstore_rpc_on_fail, p); //TODO: init in main()? store in ctx struct tfe_rpc* rpc = tfe_rpc_init(NULL, NULL, keeper->logger); char url[TFE_STRING_MAX]; @@ -355,13 +379,21 @@ void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, int key { //TOOD: generate X509 cert const char* filename = "./conf/mesalab-ca.pem"; - struct keyring* ring = generate_x509_cert(origin_cert, keyring_id, filename); + struct keyring_private* ring = generate_x509_keyring(origin_cert, keyring_id, filename); if(ring) { + keyring_ref_inc(ring); int ret = MESA_htable_add(ctx->htable, ctx->key, ctx->key_len, (void*)ring); - assert(ret >= 0); - printf("key %s is added to hash table\n", ctx->key); + if(ret<0) + { + key_keeper_free_keyring((struct keyring*)ring); + } + else + { + printf("key %s is added to hash table\n", ctx->key); + } promise_success(p, (void*)ring); + key_keeper_free_keyring((struct keyring*)ring); } else { @@ -373,21 +405,6 @@ void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, int key return; } -static long -htable_search_cb(void * data, const uchar * key, uint size, void * user_arg) -{ - //data is (struct keyring*) - if(data == NULL) - { - return KEYRING_NOT_EXSITED; - } - else - { - struct promise* p = (struct promise*)user_arg; - promise_success(p, data); - return KEYRING_EXSITED; - } -} static const uchar* get_key_by_cert(X509* cert, int keyring_id, unsigned int* len) @@ -438,201 +455,5 @@ create_hash_table(unsigned int slot_size, unsigned int expire_seconds) return htable; } -//how to free -static X509* -get_cert_from_response(const char* data, int len, void* logger) -{ - BIO *bio; - X509 *cert; - bio = BIO_new(BIO_s_mem()); - BIO_write(bio, (const void*)data, len); - cert = PEM_read_bio_X509(bio, NULL, NULL, NULL); - return cert; -} - -static EVP_PKEY* -get_key_from_response(const char* data, int len, void* logger) -{ - -} -static STACK_OF(X509)* -get_chain_from_response(const char* data, int len, void* logger) -{ - -} -/* - * Passed OpenSSL objects are copied by cert_t; crt/key refcount will be - * incremented, stack will be duplicated. - * / -cert_t *cert_new3_copy(EVP_PKEY *key, X509 *crt, STACK_OF(X509) *chain) -{ - cert_t *c; - - if (!(c = (cert_t *)malloc(sizeof(cert_t)))) - return NULL; - if (pthread_mutex_init(&c->mutex, NULL)) { - free(c); - return NULL; - } - c->key = key; - ssl_key_refcount_inc(c->key); - c->crt = crt; - ssl_x509_refcount_inc(c->crt); - c->chain = sk_X509_dup(chain); - for (int i = 0; i < sk_X509_num(c->chain); i++) { - ssl_x509_refcount_inc(sk_X509_value(c->chain, i)); - } - c->references = 1; - return c; -} -*/ - -/* - * Load cert_t from file. - * / -cert_t *cert_new_load(const char *filename) -{ - cert_t *c; - - if (!(c = (cert_t *)malloc(sizeof(cert_t)))) - return NULL; - memset(c, 0, sizeof(cert_t)); - if (pthread_mutex_init(&c->mutex, NULL)) { - free(c); - return NULL; - } - - if (ssl_x509chain_load(&c->crt, &c->chain, filename) == -1) { - free(c); - return NULL; - } - c->key = ssl_key_load(filename); - if (!c->key) { - X509_free(c->crt); - if (c->chain) { - sk_X509_pop_free(c->chain, X509_free); - } - free(c); - return NULL; - } - c->references = 1; - return c; -} -*/ - -/* -void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, int keyring_id, - X509 * origin_cert, int is_cert_valid, struct event_base * evbase) -{ - X509* orig_cert=SSL_get_peer_certificate(origssl); - //todo: need implement - cert_t * keyring = NULL; - if (opts->tgcrtdir) - { - if (ctx->sni) - { - keyring = (cert_t *) cachemgr_tgcrt_get(ctx->sni); - if (!keyring) - { - char * wildcarded = ssl_wildcardify(ctx->sni); - if (!wildcarded) - { - ctx->enomem = 1; - return NULL; - } - keyring = (cert_t *) cachemgr_tgcrt_get(wildcarded); - free(wildcarded); - } - if (keyring && OPTS_DEBUG(ctx->opts)) - { - log_dbg_printf("Target keyring by SNI\n"); - } - } - else if (ctx->origcrt) - { - char ** names = ssl_x509_names(ctx->origcrt); - for (char ** p = names; *p; p++) - { - if (!keyring) - { - keyring = (cert_t *) cachemgr_tgcrt_get(*p); - } - if (!keyring) - { - char * wildcarded = ssl_wildcardify(*p); - if (!wildcarded) - { - ctx->enomem = 1; - } - else - { - keyring = (cert_t *) (wildcarded); - free(wildcarded); - } - } - free(*p); - } - free(names); - if (ctx->enomem) - { - return NULL; - } - if (keyring && OPTS_DEBUG(ctx->opts)) - { - log_dbg_printf("Target keyring by origcrt\n"); - } - } - - if (keyring) - { - ctx->immutable_cert = 1; - } - } - - if (!keyring && ctx->origcrt && ctx->opts->key) - { - keyring = cert_new(); - keyring->cert = (X509 *) cachemgr_fkcrt_get(ctx->origcrt); - - if (keyring->cert) - { - if (OPTS_DEBUG(ctx->opts)) log_dbg_printf("Certificate cache: HIT\n"); - } - else - { - if (OPTS_DEBUG(ctx->opts)) log_dbg_printf("Certificate cache: MISS\n"); - keyring->cert = ssl_x509_forge(ctx->opts->cacrt, - ctx->opts->cakey, - ctx->origcrt, - ctx->opts->key, - NULL, - ctx->opts->crlurl); - cachemgr_fkcrt_set(ctx->origcrt, keyring->cert); - } - - cert_set_key(keyring, ctx->opts->key); - cert_set_chain(keyring, ctx->opts->chain); - ctx->generated_cert = 1; - } - - if ((WANT_CONNECT_LOG(ctx) || ctx->opts->certgendir) && ctx->origcrt) - { - ctx->origcrtfpr = ssl_x509_fingerprint(ctx->origcrt, 0); - if (!ctx->origcrtfpr) - ctx->enomem = 1; - } - - if ((WANT_CONNECT_LOG(ctx) || ctx->opts->certgen_writeall) && - keyring && keyring->cert) - { - ctx->usedcrtfpr = ssl_x509_fingerprint(keyring->cert, 0); - if (!ctx->usedcrtfpr) - ctx->enomem = 1; - } - - return keyring; -} -*/ - diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp index 5a48a22..919dc23 100644 --- a/platform/src/ssl_stream.cpp +++ b/platform/src/ssl_stream.cpp @@ -232,7 +232,7 @@ void ssl_free_chello(struct ssl_chello * p) } struct ssl_stream * ssl_stream_new(struct ssl_mgr * mgr, evutil_socket_t fd, enum tfe_conn_dir dir, - struct ssl_chello * client_hello, struct keyring * crt) + struct ssl_chello * client_hello, struct keyring * kyr) { struct sockaddr addr; socklen_t addrlen; @@ -245,8 +245,8 @@ struct ssl_stream * ssl_stream_new(struct ssl_mgr * mgr, evutil_socket_t fd, enu assert(ret == 0); switch (dir) { - case CONN_DIR_DOWNSTREAM: s_stream->ssl = downstream_ssl_create(mgr, crt); - s_stream->keyring = crt; + case CONN_DIR_DOWNSTREAM: s_stream->ssl = downstream_ssl_create(mgr, kyr); + s_stream->keyring = kyr; break; case CONN_DIR_UPSTREAM: s_stream->ssl = upstream_ssl_create(mgr, client_hello, fd); s_stream->client_hello = client_hello; @@ -1138,21 +1138,20 @@ void ask_keyring_on_succ(void * result, void * user) struct ask_keyring_ctx * ctx = (struct ask_keyring_ctx *) promise_dettach_ctx(p); struct ssl_stream * downstream = NULL; - struct keyring * crt = NULL; + struct keyring * kyr = NULL; struct ssl_mgr * mgr = ctx->ssl_mgr; future_destroy(ctx->f_query_cert); ctx->f_query_cert = NULL; - crt = key_keeper_release_cert(result); - ctx->downstream = ssl_stream_new(mgr, ctx->fd_downstream, CONN_DIR_DOWNSTREAM, NULL, crt); + kyr = key_keeper_release_keyring(result); //kyr will be freed at ssl downstream closing. + ctx->downstream = ssl_stream_new(mgr, ctx->fd_downstream, CONN_DIR_DOWNSTREAM, NULL, kyr); ctx->bev_down = bufferevent_openssl_socket_new(ctx->evbase, ctx->fd_downstream, ctx->downstream->ssl, BUFFEREVENT_SSL_CONNECTING, BEV_OPT_DEFER_CALLBACKS); bufferevent_openssl_set_allow_dirty_shutdown(ctx->bev_down, 1); promise_success(p, ctx); - key_keeper_free_keyring(crt); query_cert_ctx_free(ctx); } @@ -1173,7 +1172,7 @@ void ssl_async_downstream_create(struct future * f, struct ssl_mgr * mgr, struct { assert(upstream->dir == CONN_DIR_UPSTREAM); - + const char* sni=NULL; struct ask_keyring_ctx * ctx = ALLOC(struct ask_keyring_ctx, 1); ctx->keyring_id = keyring_id; ctx->ssl_mgr = mgr; @@ -1184,6 +1183,7 @@ void ssl_async_downstream_create(struct future * f, struct ssl_mgr * mgr, struct { ctx->origin_ssl = upstream; ctx->origin_crt = SSL_get_peer_certificate(upstream->ssl); + sni=upstream->client_hello->sni; } struct promise * p = future_to_promise(f); @@ -1194,7 +1194,7 @@ void ssl_async_downstream_create(struct future * f, struct ssl_mgr * mgr, struct ATOMIC_INC(&(mgr->stat_val[SSL_FAKE_CRT])); } ctx->f_query_cert = future_create("ask_kyr",ask_keyring_on_succ, ask_keyring_on_fail, p); - key_keeper_async_ask(ctx->f_query_cert, mgr->keeper_of_keys, keyring_id, ctx->origin_crt, ctx->is_origin_crt_vaild, + key_keeper_async_ask(ctx->f_query_cert, mgr->keeper_of_keys, sni, keyring_id, ctx->origin_crt, ctx->is_origin_crt_vaild, evbase); return; } diff --git a/platform/src/tcp_stream.cpp b/platform/src/tcp_stream.cpp index 2da0cc0..23ee74d 100644 --- a/platform/src/tcp_stream.cpp +++ b/platform/src/tcp_stream.cpp @@ -552,7 +552,7 @@ void tfe_stream_destory(struct tfe_stream_private * stream) if (__IS_SSL(stream) && stream->ssl_downstream) { - evutil_socket_t __to_closed_fd = __conn_private_release_fd(stream->conn_upstream); + evutil_socket_t __to_closed_fd = __conn_private_release_fd(stream->conn_downstream); ssl_stream_free_and_close_fd(stream->ssl_downstream, ev_base, __to_closed_fd); } diff --git a/platform/test/test_key_keeper.cpp b/platform/test/test_key_keeper.cpp index f3116e2..005a7d2 100644 --- a/platform/test/test_key_keeper.cpp +++ b/platform/test/test_key_keeper.cpp @@ -20,7 +20,7 @@ main() for(i = 0;i<10;i++){ printf("-------------------------------\n"); printf("call key_keeper_async_ask, i = %d\n", i); - key_keeper_async_ask(f, keeper, 0, origin_cert, 0, evbase); + key_keeper_async_ask(f, keeper, NULL, 0, origin_cert, 0, evbase); } } diff --git a/platform/test/test_tfe_rpc.cpp b/platform/test/test_tfe_rpc.cpp index b4b7279..e257e44 100644 --- a/platform/test/test_tfe_rpc.cpp +++ b/platform/test/test_tfe_rpc.cpp @@ -31,7 +31,7 @@ int main() { char cert_store_host[TFE_STRING_MAX]; unsigned int cert_store_port; - const char* file_path = "./log/test_tfe_rpc.log"; + const char* file_path = "./log/test_tfe_rpc.log",*host="localhost"; void * logger = MESA_create_runtime_log_handle(file_path, RLOG_LV_INFO); const char* profile = "./conf/tfe.conf"; const char* section = "key_keeper"; @@ -48,3 +48,4 @@ int main() tfe_rpc_async_ask(f_tfe_rpc, rpc, url, GET, DONE_CB, NULL, 0, evbase); event_base_dispatch(evbase); } +