完成和key keeper的联调。

2018-09-04 18:13:05 +08:00
parent 636e41cfca
commit af6340becf
7 changed files with 230 additions and 429 deletions
--- a/platform/src/ssl_stream.cpp
+++ b/platform/src/ssl_stream.cpp
@@ -232,7 +232,7 @@ void ssl_free_chello(struct ssl_chello * p)
 }

 struct ssl_stream * ssl_stream_new(struct ssl_mgr * mgr, evutil_socket_t fd, enum tfe_conn_dir dir,
-	struct ssl_chello * client_hello, struct keyring * crt)
+	struct ssl_chello * client_hello, struct keyring * kyr)
 {
 	struct sockaddr addr;
 	socklen_t addrlen;
@@ -245,8 +245,8 @@ struct ssl_stream * ssl_stream_new(struct ssl_mgr * mgr, evutil_socket_t fd, enu
 	assert(ret == 0);
 	switch (dir)
 	{
-		case CONN_DIR_DOWNSTREAM: s_stream->ssl = downstream_ssl_create(mgr, crt);
-			s_stream->keyring = crt;
+		case CONN_DIR_DOWNSTREAM: s_stream->ssl = downstream_ssl_create(mgr, kyr);
+			s_stream->keyring = kyr;
 			break;
 		case CONN_DIR_UPSTREAM: s_stream->ssl = upstream_ssl_create(mgr, client_hello, fd);
 			s_stream->client_hello = client_hello;
@@ -1138,21 +1138,20 @@ void ask_keyring_on_succ(void * result, void * user)
 	struct ask_keyring_ctx * ctx = (struct ask_keyring_ctx *) promise_dettach_ctx(p);

 	struct ssl_stream * downstream = NULL;
-	struct keyring * crt = NULL;
+	struct keyring * kyr = NULL;

 	struct ssl_mgr * mgr = ctx->ssl_mgr;

 	future_destroy(ctx->f_query_cert);
 	ctx->f_query_cert = NULL;

-	crt = key_keeper_release_cert(result);
-	ctx->downstream = ssl_stream_new(mgr, ctx->fd_downstream, CONN_DIR_DOWNSTREAM, NULL, crt);
+	kyr = key_keeper_release_keyring(result);	//kyr will be freed at ssl downstream closing.
+	ctx->downstream = ssl_stream_new(mgr, ctx->fd_downstream, CONN_DIR_DOWNSTREAM, NULL, kyr);
 	ctx->bev_down = bufferevent_openssl_socket_new(ctx->evbase, ctx->fd_downstream, ctx->downstream->ssl,
 		BUFFEREVENT_SSL_CONNECTING, BEV_OPT_DEFER_CALLBACKS);
 	bufferevent_openssl_set_allow_dirty_shutdown(ctx->bev_down, 1);

 	promise_success(p, ctx);
-	key_keeper_free_keyring(crt);
 	query_cert_ctx_free(ctx);
 }

@@ -1173,7 +1172,7 @@ void ssl_async_downstream_create(struct future * f, struct ssl_mgr * mgr, struct
 {

 	assert(upstream->dir == CONN_DIR_UPSTREAM);
-
+	const char* sni=NULL;
 	struct ask_keyring_ctx * ctx = ALLOC(struct ask_keyring_ctx, 1);
 	ctx->keyring_id = keyring_id;
 	ctx->ssl_mgr = mgr;
@@ -1184,6 +1183,7 @@ void ssl_async_downstream_create(struct future * f, struct ssl_mgr * mgr, struct
 	{
 		ctx->origin_ssl = upstream;
 		ctx->origin_crt = SSL_get_peer_certificate(upstream->ssl);
+		sni=upstream->client_hello->sni;
 	}

 	struct promise * p = future_to_promise(f);
@@ -1194,7 +1194,7 @@ void ssl_async_downstream_create(struct future * f, struct ssl_mgr * mgr, struct
 		ATOMIC_INC(&(mgr->stat_val[SSL_FAKE_CRT]));
 	}
 	ctx->f_query_cert = future_create("ask_kyr",ask_keyring_on_succ, ask_keyring_on_fail, p);
-	key_keeper_async_ask(ctx->f_query_cert, mgr->keeper_of_keys, keyring_id, ctx->origin_crt, ctx->is_origin_crt_vaild,
+	key_keeper_async_ask(ctx->f_query_cert, mgr->keeper_of_keys, sni, keyring_id, ctx->origin_crt, ctx->is_origin_crt_vaild,
 		evbase);
 	return;
 }