gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

完成和key keeper的联调。

Browse Source
This commit is contained in:
zhengchao
2018-09-04 18:13:05 +08:00
parent 636e41cfca
commit af6340becf
7 changed files with 230 additions and 429 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
common/src/tfe_future.cpp
View File

@@ -109,19 +109,20 @@ static long field_get_set_cb(void * data, const uchar * key, uint size, void * u
if(data==NULL) if(data==NULL)
{ {
field_id=(int*)malloc(sizeof(int)*2); field_id=(int*)malloc(sizeof(int)*2);
field_id[0]=FS_register(args->fs_handle, FS_STYLE_HISTOGRAM, FS_CALC_SPEED, (const char * )key); snprintf(buff,sizeof(buff),"%s(ms)",(char*)key);
args->fsid_failed=field_id[0]; field_id[0]=FS_register(args->fs_handle, FS_STYLE_HISTOGRAM, FS_CALC_CURRENT, buff);
args->fsid_latency=field_id[0];
snprintf(buff,sizeof(buff),"%s%s",(char*)key,fail_str); snprintf(buff,sizeof(buff),"%s%s",(char*)key,fail_str);
field_id[1]=FS_register(args->fs_handle, FS_STYLE_FIELD, FS_CALC_SPEED,buff); field_id[1]=FS_register(args->fs_handle, FS_STYLE_FIELD, FS_CALC_SPEED,buff);
args->fsid_latency=field_id[1]; args->fsid_failed=field_id[1];
ret = MESA_htable_add(args->htable, key, size, (void*)field_id); ret = MESA_htable_add(args->htable, key, size, (void*)field_id);
assert(ret==0); assert(ret>=0);
} }
else else
{ {
field_id=(int*)data; field_id=(int*)data;
args->fsid_failed=field_id[0]; args->fsid_latency=field_id[0];
args->fsid_latency=field_id[1]; args->fsid_failed=field_id[1];
} }
return 0; return 0;
} }
@@ -137,7 +138,7 @@ struct future * future_create(const char* symbol, future_success_cb * cb_success
clock_gettime(CLOCK_MONOTONIC,&p->debug.create_time); clock_gettime(CLOCK_MONOTONIC,&p->debug.create_time);
void * no_use = NULL; void * no_use = NULL;
long cb_ret=0; long cb_ret=0;
struct field_get_set_args args{.htable = g_FP_instance.name_table, .fs_handle = g_FP_instance.fs_handle}; struct field_get_set_args args={.htable = g_FP_instance.name_table, .fs_handle = g_FP_instance.fs_handle};
no_use=MESA_htable_search_cb(g_FP_instance.name_table, (const unsigned char*)symbol, strlen(symbol), field_get_set_cb, &args, &cb_ret); no_use=MESA_htable_search_cb(g_FP_instance.name_table, (const unsigned char*)symbol, strlen(symbol), field_get_set_cb, &args, &cb_ret);
p->debug.fsid_latency=args.fsid_latency; p->debug.fsid_latency=args.fsid_latency;
p->debug.fsid_failed=args.fsid_failed; p->debug.fsid_failed=args.fsid_failed;
@@ -165,7 +166,7 @@ void future_destroy(struct future * f)
static void fp_stat_latency(struct _future_promise_debug* debug, int is_success) static void fp_stat_latency(struct _future_promise_debug* debug, int is_success)
{ {
struct timespec end; struct timespec end;
long long jiffies=0; long long jiffies_ms=0;
clock_gettime(CLOCK_MONOTONIC,&end); clock_gettime(CLOCK_MONOTONIC,&end);
if(is_success==1) if(is_success==1)
{ {
@@ -177,19 +178,21 @@ static void fp_stat_latency(struct _future_promise_debug* debug, int is_success)
} }
if(debug->succ_times<=1) if(debug->succ_times<=1)
{ {
jiffies=(end.tv_sec-debug->create_time.tv_sec)*1000000000+end.tv_nsec-debug->create_time.tv_nsec; jiffies_ms=(end.tv_sec-debug->create_time.tv_sec)*1000+(end.tv_nsec-debug->create_time.tv_nsec)/1000000;
FS_operate(g_FP_instance.fs_handle, debug->fsid_latency, 0, FS_OP_SET, jiffies); FS_operate(g_FP_instance.fs_handle, debug->fsid_latency, 0, FS_OP_SET, jiffies_ms);
} }
return; return;
} }
void promise_failed(struct promise * p, enum e_future_error error, const char * what) void promise_failed(struct promise * p, enum e_future_error error, const char * what)
{ {
fp_stat_latency(&p->debug, 0);
p->f.cb_failed(error, what, p->f.user); p->f.cb_failed(error, what, p->f.user);
return; return;
} }
void promise_success(struct promise * p, void * result) void promise_success(struct promise * p, void * result)
{ {
fp_stat_latency(&p->debug, 1);
p->f.cb_success(result, p->f.user); p->f.cb_success(result, p->f.user);
return; return;
} }

32
platform/include/internal/key_keeper.h
View File

@@ -13,40 +13,16 @@ struct keyring
STACK_OF(X509) * chain; STACK_OF(X509) * chain;
}; };
struct key_keeper struct key_keeper;
{
unsigned int mode;
char cert_store_host[TFE_STRING_MAX];
unsigned int cert_store_port;
MESA_htable_handle htable;
void* logger;
};
struct key_keeper * key_keeper_init(const char * profile, const char* section, void* logger); struct key_keeper * key_keeper_init(const char * profile, const char* section, void* logger);
struct key_keeper * key_keeper_destroy(struct key_keeper *keeper); void key_keeper_destroy(struct key_keeper *keeper);
struct keyring* key_keeper_release_cert(future_result_t* result); struct keyring* key_keeper_release_keyring(future_result_t* result);
struct keyring* key_keeper_keyring_new(void);
struct keyring* key_keeper_keyring_new3(EVP_PKEY *key, X509 *cert, STACK_OF(X509) *chain);
void key_keeper_free_keyring(struct keyring* cert); void key_keeper_free_keyring(struct keyring* cert);
void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, int keyring_id, void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const char* sni, int keyring_id,
X509 * origin_cert, int is_cert_valid, struct event_base * evbase); X509 * origin_cert, int is_cert_valid, struct event_base * evbase);
void key_keeper_keyring_refcount_inc(struct keyring* ring);
void key_keeper_keyring_set_cert(struct keyring* ring, X509 *cert);
void key_keeper_keyring_set_key(struct keyring* ring, EVP_PKEY *key);
void key_keeper_keyring_set_chain(struct keyring* ring, STACK_OF(X509) *chain);
static void key_keeper_free_serialized();
static void key_keeper_verify_cb();

575
platform/src/key_keeper.cpp
View File

@@ -10,6 +10,15 @@
#define KEYRING_EXSITED 0 #define KEYRING_EXSITED 0
#define KEYRING_NOT_EXSITED -1 #define KEYRING_NOT_EXSITED -1
struct key_keeper
{
unsigned int mode;
char cert_store_host[TFE_STRING_MAX];
unsigned int cert_store_port;
MESA_htable_handle htable;
void* logger;
};
enum KEY_KEEPER_MODE{ enum KEY_KEEPER_MODE{
NORMAL = 0, NORMAL = 0,
DEBUG, DEBUG,
@@ -32,64 +41,34 @@ struct key_keeper_promise_ctx
static const uchar* get_key_by_cert(X509* cert, int keyring_id, unsigned int* len); static const uchar* get_key_by_cert(X509* cert, int keyring_id, unsigned int* len);
static long htable_search_cb(void * data, const uchar * key, uint size, void * user_arg); static struct keyring_private* keyring_new(void)
static int __wrapper_MESA_htable_set_opt(MESA_htable_handle table, enum MESA_htable_opt opt_type, unsigned int value);
static MESA_htable_handle create_hash_table(unsigned int slot_size, unsigned int expire_seconds);
static struct keyring* generate_x509_cert(X509* origin_cert, int keyring_id, const char* filename);
static void tfe_rpc_on_succ(void* result, void* user);
static void tfe_rpc_on_fail(enum e_future_error err, const char * what, void * user);
static void ctx_destory_cb(struct promise* p);
static X509* get_cert_from_response(const char* data, int len, void* logger);
static EVP_PKEY* get_key_from_response(const char* data, int len, void* logger);
static STACK_OF(X509)* get_chain_from_response(const char* data, int len, void* logger);
/*
* Certificate, including private key and keyring chain.
*/
struct keyring*
key_keeper_keyring_new(void)
{ {
struct keyring_private *keyring; struct keyring_private *kyr;
if (!(keyring = (struct keyring_private *)ALLOC(struct keyring_private, 1))) if (!(kyr = (struct keyring_private *)ALLOC(struct keyring_private, 1)))
{ {
return NULL; return NULL;
} }
if (pthread_mutex_init(&keyring->mutex, NULL)) { if (pthread_mutex_init(&kyr->mutex, NULL)) {
free(keyring); free(kyr);
return NULL; return NULL;
} }
keyring->references = 1; kyr->references = 1;
return &(keyring->head); return kyr;
} }
/* /*
* Passed OpenSSL objects are owned by cert_t; refcount will not be * Passed OpenSSL objects are owned by cert_t; refcount will not be
* incremented, stack will not be duplicated. * incremented, stack will not be duplicated.
*/ */
struct keyring* struct keyring* keyring_new3(EVP_PKEY *key, X509 *cert, STACK_OF(X509) *chain)
key_keeper_keyring_new3(EVP_PKEY *key, X509 *cert, STACK_OF(X509) *chain)
{ {
struct keyring_private* keyring; struct keyring_private* kyr=NULL;
if (!(keyring = (struct keyring_private *)ALLOC(struct keyring_private, 1))) kyr=keyring_new();
{
return NULL; kyr->references = 1;
} (kyr->head).key = key;
if (pthread_mutex_init(&keyring->mutex, NULL)) { (kyr->head).cert = cert;
free(keyring); (kyr->head).chain = chain;
return NULL;
}
keyring->references = 1;
(keyring->head).key = key;
(keyring->head).cert = cert;
(keyring->head).chain = chain;
if(key) if(key)
{ {
ssl_key_refcount_inc(key); ssl_key_refcount_inc(key);
@@ -105,111 +84,213 @@ key_keeper_keyring_new3(EVP_PKEY *key, X509 *cert, STACK_OF(X509) *chain)
ssl_x509_refcount_inc(sk_X509_value(chain, i)); ssl_x509_refcount_inc(sk_X509_value(chain, i));
} }
} }
return &(keyring->head); return &(kyr->head);
} }
// Increment reference count. // Increment reference count.
void void keyring_ref_inc(struct keyring_private* kyr)
key_keeper_keyring_refcount_inc(struct keyring* ring)
{ {
struct keyring_private* keyring = (struct keyring_private*)ring; pthread_mutex_lock(&kyr->mutex);
pthread_mutex_lock(&keyring->mutex); kyr->references++;
keyring->references++; pthread_mutex_unlock(&kyr->mutex);
pthread_mutex_unlock(&keyring->mutex);
} }
/* /*
* Thread-safe setter functions; they copy the value (refcounts are inc'd). * Thread-safe setter functions; they copy the value (refcounts are inc'd).
*/ */
void static void keyring_set_key(struct keyring_private* kyr, EVP_PKEY *key)
key_keeper_keyring_set_key(struct keyring* ring, EVP_PKEY *key)
{ {
struct keyring_private* keyring = (struct keyring_private*)ring; pthread_mutex_lock(&kyr->mutex);
pthread_mutex_lock(&keyring->mutex); if ((kyr->head).key)
if ((keyring->head).key)
{ {
EVP_PKEY_free((keyring->head).key); EVP_PKEY_free((kyr->head).key);
} }
(keyring->head).key = key; (kyr->head).key = key;
if (key) if (key)
{ {
ssl_key_refcount_inc((keyring->head).key); ssl_key_refcount_inc((kyr->head).key);
} }
pthread_mutex_unlock(&keyring->mutex); pthread_mutex_unlock(&kyr->mutex);
} }
void static void keyring_set_cert(struct keyring_private* kry, X509 *cert)
key_keeper_keyring_set_cert(struct keyring* ring, X509 *cert)
{ {
struct keyring_private* keyring = (struct keyring_private*)ring; pthread_mutex_lock(&kry->mutex);
pthread_mutex_lock(&keyring->mutex); if ((kry->head).cert)
if ((keyring->head).cert)
{ {
X509_free((keyring->head).cert); X509_free((kry->head).cert);
} }
(keyring->head).cert = cert; (kry->head).cert = cert;
if (cert) if (cert)
{ {
ssl_x509_refcount_inc((keyring->head).cert); ssl_x509_refcount_inc((kry->head).cert);
} }
pthread_mutex_unlock(&keyring->mutex); pthread_mutex_unlock(&kry->mutex);
} }
void static void keyring_set_chain(struct keyring_private* kyr, STACK_OF(X509) *chain)
key_keeper_keyring_set_chain(struct keyring* ring, STACK_OF(X509) *chain)
{ {
struct keyring_private* keyring = (struct keyring_private*)ring; pthread_mutex_lock(&kyr->mutex);
pthread_mutex_lock(&keyring->mutex); if ((kyr->head).chain)
if ((keyring->head).chain)
{ {
sk_X509_pop_free((keyring->head).chain, X509_free); sk_X509_pop_free((kyr->head).chain, X509_free);
} }
if (chain) if (chain)
{ {
(keyring->head).chain = sk_X509_dup(chain); (kyr->head).chain = sk_X509_dup(chain);
int i = 0; int i = 0;
for (i = 0; i < sk_X509_num((keyring->head).chain); i++) for (i = 0; i < sk_X509_num((kyr->head).chain); i++)
{ {
ssl_x509_refcount_inc(sk_X509_value((keyring->head).chain, i)); ssl_x509_refcount_inc(sk_X509_value((kyr->head).chain, i));
} }
} else } else
{ {
(keyring->head).chain = NULL; (kyr->head).chain = NULL;
} }
pthread_mutex_unlock(&keyring->mutex); pthread_mutex_unlock(&kyr->mutex);
} }
/* /*
* Free keyring including internal objects. * Free keyring including internal objects.
*/ */
void void key_keeper_free_keyring(struct keyring *kyr)
key_keeper_free_keyring(struct keyring *ring)
{ {
struct keyring_private* keyring = (struct keyring_private*)ring; struct keyring_private* _kyr = (struct keyring_private*)kyr;
pthread_mutex_lock(&keyring->mutex); pthread_mutex_lock(&_kyr->mutex);
keyring->references--; _kyr->references--;
if (keyring->references) if (_kyr->references>0)
{ {
pthread_mutex_unlock(&keyring->mutex); pthread_mutex_unlock(&_kyr->mutex);
return; return;
} }
pthread_mutex_unlock(&keyring->mutex); pthread_mutex_unlock(&_kyr->mutex);
pthread_mutex_destroy(&keyring->mutex); pthread_mutex_destroy(&_kyr->mutex);
if ((keyring->head).key) if ((_kyr->head).key)
{ {
EVP_PKEY_free((keyring->head).key); EVP_PKEY_free((_kyr->head).key);
(_kyr->head).key=NULL;
} }
if ((keyring->head).cert) if ((_kyr->head).cert)
{ {
X509_free((keyring->head).cert); X509_free((_kyr->head).cert);
(_kyr->head).cert=NULL;
} }
if ((keyring->head).chain) if ((_kyr->head).chain)
{ {
sk_X509_pop_free((keyring->head).chain, X509_free); sk_X509_pop_free((_kyr->head).chain, X509_free);
(_kyr->head).chain=NULL;
} }
free(keyring); free(_kyr);
} }
static long keyring_local_cache_query_cb(void * data, const uchar * key, uint size, void * user_arg)
{
//data is (struct keyring*)
struct keyring_private* kyr=(struct keyring_private*)data;
if(kyr == NULL)
{
return KEYRING_NOT_EXSITED;
}
else
{
struct promise* p = (struct promise*)user_arg;
promise_success(p, data);
return KEYRING_EXSITED;
}
}
static void certstore_rpc_on_fail(enum e_future_error err, const char * what, void * user)
{
struct promise * p = (struct promise *) user;
promise_failed(p, err, what);
}
static struct keyring_private* generate_x509_keyring(X509* origin_cert, int keyring_id, const char* filename)
{
X509* ca = ssl_x509_load(filename);
EVP_PKEY* cakey = ssl_key_load(filename);
EVP_PKEY* forge_key = ssl_key_genrsa(1024);
X509* forge_cert = ssl_x509_forge(ca, cakey, origin_cert, forge_key, NULL, NULL);
STACK_OF(X509)* chain = sk_X509_new_null();
sk_X509_push(chain, ca);
sk_X509_push(chain, forge_cert);
struct keyring_private* ring= keyring_new();
keyring_set_key(ring, forge_key);
keyring_set_cert(ring, forge_cert);
keyring_set_chain(ring, chain);
return ring;
}
//how to free
static X509* get_cert_from_response(const char* data, int len, void* logger)
{
BIO *bio;
X509 *cert;
bio = BIO_new(BIO_s_mem());
BIO_write(bio, (const void*)data, len);
cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
return cert;
}
static EVP_PKEY* get_key_from_response(const char* data, int len, void* logger)
{
}
static STACK_OF(X509)* get_chain_from_response(const char* data, int len, void* logger)
{
}
static void certstore_rpc_on_succ(void* result, void* user)
{
struct promise * p = (struct promise *) user;
struct key_keeper_promise_ctx* ctx = (struct key_keeper_promise_ctx*)promise_get_ctx(p);
void* logger = ctx->logger;
MESA_htable_handle htable= ctx->htable;
const uchar* key = ctx->key;
unsigned int key_len = ctx->key_len;
//transform to x509
struct tfe_rpc_response_result* response = tfe_rpc_release(result);
int status_code = response->status_code;
const char* status_msg = response->status_msg;
const char* data = response->data;
int len = response->len;
if(status_code == HTTP_OK)
{
struct keyring_private* ring= keyring_new();
X509* forge_cert = get_cert_from_response(data, len, NULL);
EVP_PKEY* forge_key = get_key_from_response(data, len, NULL);
STACK_OF(X509)* chain = get_chain_from_response(data, len, NULL);
keyring_set_key(ring, forge_key);
keyring_set_cert(ring, forge_cert);
keyring_set_chain(ring, chain);
promise_success(p, (void*)ring);
keyring_ref_inc(ring);
int ret = MESA_htable_add(htable, key, key_len, (void*)ring);
if(ret<0)
{
key_keeper_free_keyring((struct keyring*)ring);
}
}
else
{
promise_failed(p, FUTURE_ERROR_EXCEPTION, status_msg);
}
}
static int __wrapper_MESA_htable_set_opt(MESA_htable_handle table, enum MESA_htable_opt opt_type, unsigned int value);
static MESA_htable_handle create_hash_table(unsigned int slot_size, unsigned int expire_seconds);
static STACK_OF(X509)* get_chain_from_response(const char* data, int len, void* logger);
/*
* Certificate, including private key and keyring chain.
*/
static void key_keeper_free_serialized() static void key_keeper_free_serialized()
{ {
return; return;
@@ -235,79 +316,22 @@ key_keeper_init(const char * profile, const char* section, void* logger)
return keeper; return keeper;
} }
//return void ?? void key_keeper_destroy(struct key_keeper *keeper)
struct key_keeper *
key_keeper_destroy(struct key_keeper *keeper)
{ {
free(keeper); free(keeper);
keeper = NULL; keeper = NULL;
return keeper; return;
} }
struct keyring* struct keyring* key_keeper_release_keyring(future_result_t* result)
key_keeper_release_cert(future_result_t* result)
{ {
return (struct keyring*)result; struct keyring_private* kyr=(struct keyring_private*)result;
} keyring_ref_inc(kyr);
return &(kyr->head);
static struct keyring*
generate_x509_cert(X509* origin_cert, int keyring_id, const char* filename)
{
X509* ca = ssl_x509_load(filename);
EVP_PKEY* cakey = ssl_key_load(filename);
EVP_PKEY* forge_key = ssl_key_genrsa(1024);
X509* forge_cert = ssl_x509_forge(ca, cakey, origin_cert, forge_key, NULL, NULL);
STACK_OF(X509)* chain = sk_X509_new_null();
sk_X509_push(chain, ca);
sk_X509_push(chain, forge_cert);
struct keyring* ring= key_keeper_keyring_new();
key_keeper_keyring_set_key(ring, forge_key);
key_keeper_keyring_set_cert(ring, forge_cert);
key_keeper_keyring_set_chain(ring, chain);
return ring;
}
static void
tfe_rpc_on_succ(void* result, void* user)
{
struct promise * p = (struct promise *) user;
struct key_keeper_promise_ctx* ctx = (struct key_keeper_promise_ctx*)promise_get_ctx(p);
void* logger = ctx->logger;
MESA_htable_handle htable= ctx->htable;
const uchar* key = ctx->key;
unsigned int key_len = ctx->key_len;
//transform to x509
struct tfe_rpc_response_result* response = tfe_rpc_release(result);
int status_code = response->status_code;
const char* status_msg = response->status_msg;
const char* data = response->data;
int len = response->len;
if(status_code == HTTP_OK)
{
struct keyring* ring= key_keeper_keyring_new();
X509* forge_cert = get_cert_from_response(data, len, NULL);
EVP_PKEY* forge_key = get_key_from_response(data, len, NULL);
STACK_OF(X509)* chain = get_chain_from_response(data, len, NULL);
key_keeper_keyring_set_key(ring, forge_key);
key_keeper_keyring_set_cert(ring, forge_cert);
key_keeper_keyring_set_chain(ring, chain);
promise_success(p, (void*)ring);
int ret = MESA_htable_add(htable, key, key_len, (void*)ring);
assert(ret >= 0);
}
else
{
promise_failed(p, FUTURE_ERROR_EXCEPTION, status_msg);
}
} }
static void
tfe_rpc_on_fail(enum e_future_error err, const char * what, void * user)
{
struct promise * p = (struct promise *) user;
promise_failed(p, err, what);
}
static void ctx_destory_cb(struct promise* p) static void ctx_destory_cb(struct promise* p)
@@ -316,7 +340,7 @@ static void ctx_destory_cb(struct promise* p)
} }
//TODO: cert_not_valid //TODO: cert_not_valid
void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, int keyring_id, X509 * origin_cert, int is_cert_valid, struct event_base * evbase) void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const char* sni, int keyring_id, X509 * origin_cert, int is_cert_valid, struct event_base * evbase)
{ {
//get subject name from cert //get subject name from cert
@@ -331,7 +355,7 @@ void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, int key
ctx->key_len = len; ctx->key_len = len;
promise_set_ctx(p, (void*)ctx, ctx_destory_cb); promise_set_ctx(p, (void*)ctx, ctx_destory_cb);
long int cb_rtn = 0; long int cb_rtn = 0;
MESA_htable_search_cb(ctx->htable, (const unsigned char*)(ctx->key), ctx->key_len, htable_search_cb, p, &cb_rtn); MESA_htable_search_cb(ctx->htable, (const unsigned char*)(ctx->key), ctx->key_len, keyring_local_cache_query_cb, p, &cb_rtn);
printf(cb_rtn == KEYRING_EXSITED ? "KEYRING_EXSITED\n": "KEYRING_NOT_EXSITED\n"); printf(cb_rtn == KEYRING_EXSITED ? "KEYRING_EXSITED\n": "KEYRING_NOT_EXSITED\n");
if(cb_rtn == KEYRING_EXSITED) if(cb_rtn == KEYRING_EXSITED)
{ {
@@ -342,7 +366,7 @@ void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, int key
switch(mode){ switch(mode){
case NORMAL: case NORMAL:
{ {
struct future* f_tfe_rpc = future_create("tfe_rpc", tfe_rpc_on_succ, tfe_rpc_on_fail, p); struct future* f_tfe_rpc = future_create("tfe_rpc", certstore_rpc_on_succ, certstore_rpc_on_fail, p);
//TODO: init in main()? store in ctx //TODO: init in main()? store in ctx
struct tfe_rpc* rpc = tfe_rpc_init(NULL, NULL, keeper->logger); struct tfe_rpc* rpc = tfe_rpc_init(NULL, NULL, keeper->logger);
char url[TFE_STRING_MAX]; char url[TFE_STRING_MAX];
@@ -355,13 +379,21 @@ void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, int key
{ {
//TOOD: generate X509 cert //TOOD: generate X509 cert
const char* filename = "./conf/mesalab-ca.pem"; const char* filename = "./conf/mesalab-ca.pem";
struct keyring* ring = generate_x509_cert(origin_cert, keyring_id, filename); struct keyring_private* ring = generate_x509_keyring(origin_cert, keyring_id, filename);
if(ring) if(ring)
{ {
keyring_ref_inc(ring);
int ret = MESA_htable_add(ctx->htable, ctx->key, ctx->key_len, (void*)ring); int ret = MESA_htable_add(ctx->htable, ctx->key, ctx->key_len, (void*)ring);
assert(ret >= 0); if(ret<0)
{
key_keeper_free_keyring((struct keyring*)ring);
}
else
{
printf("key %s is added to hash table\n", ctx->key); printf("key %s is added to hash table\n", ctx->key);
}
promise_success(p, (void*)ring); promise_success(p, (void*)ring);
key_keeper_free_keyring((struct keyring*)ring);
} }
else else
{ {
@@ -373,21 +405,6 @@ void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, int key
return; return;
} }
static long
htable_search_cb(void * data, const uchar * key, uint size, void * user_arg)
{
//data is (struct keyring*)
if(data == NULL)
{
return KEYRING_NOT_EXSITED;
}
else
{
struct promise* p = (struct promise*)user_arg;
promise_success(p, data);
return KEYRING_EXSITED;
}
}
static const uchar* static const uchar*
get_key_by_cert(X509* cert, int keyring_id, unsigned int* len) get_key_by_cert(X509* cert, int keyring_id, unsigned int* len)
@@ -438,201 +455,5 @@ create_hash_table(unsigned int slot_size, unsigned int expire_seconds)
return htable; return htable;
} }
//how to free
static X509*
get_cert_from_response(const char* data, int len, void* logger)
{
BIO *bio;
X509 *cert;
bio = BIO_new(BIO_s_mem());
BIO_write(bio, (const void*)data, len);
cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
return cert;
}
static EVP_PKEY*
get_key_from_response(const char* data, int len, void* logger)
{
}
static STACK_OF(X509)*
get_chain_from_response(const char* data, int len, void* logger)
{
}
/*
* Passed OpenSSL objects are copied by cert_t; crt/key refcount will be
* incremented, stack will be duplicated.
* /
cert_t *cert_new3_copy(EVP_PKEY *key, X509 *crt, STACK_OF(X509) *chain)
{
cert_t *c;
if (!(c = (cert_t *)malloc(sizeof(cert_t))))
return NULL;
if (pthread_mutex_init(&c->mutex, NULL)) {
free(c);
return NULL;
}
c->key = key;
ssl_key_refcount_inc(c->key);
c->crt = crt;
ssl_x509_refcount_inc(c->crt);
c->chain = sk_X509_dup(chain);
for (int i = 0; i < sk_X509_num(c->chain); i++) {
ssl_x509_refcount_inc(sk_X509_value(c->chain, i));
}
c->references = 1;
return c;
}
*/
/*
* Load cert_t from file.
* /
cert_t *cert_new_load(const char *filename)
{
cert_t *c;
if (!(c = (cert_t *)malloc(sizeof(cert_t))))
return NULL;
memset(c, 0, sizeof(cert_t));
if (pthread_mutex_init(&c->mutex, NULL)) {
free(c);
return NULL;
}
if (ssl_x509chain_load(&c->crt, &c->chain, filename) == -1) {
free(c);
return NULL;
}
c->key = ssl_key_load(filename);
if (!c->key) {
X509_free(c->crt);
if (c->chain) {
sk_X509_pop_free(c->chain, X509_free);
}
free(c);
return NULL;
}
c->references = 1;
return c;
}
*/
/*
void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, int keyring_id,
X509 * origin_cert, int is_cert_valid, struct event_base * evbase)
{
X509* orig_cert=SSL_get_peer_certificate(origssl);
//todo: need implement
cert_t * keyring = NULL;
if (opts->tgcrtdir)
{
if (ctx->sni)
{
keyring = (cert_t *) cachemgr_tgcrt_get(ctx->sni);
if (!keyring)
{
char * wildcarded = ssl_wildcardify(ctx->sni);
if (!wildcarded)
{
ctx->enomem = 1;
return NULL;
}
keyring = (cert_t *) cachemgr_tgcrt_get(wildcarded);
free(wildcarded);
}
if (keyring && OPTS_DEBUG(ctx->opts))
{
log_dbg_printf("Target keyring by SNI\n");
}
}
else if (ctx->origcrt)
{
char ** names = ssl_x509_names(ctx->origcrt);
for (char ** p = names; *p; p++)
{
if (!keyring)
{
keyring = (cert_t *) cachemgr_tgcrt_get(*p);
}
if (!keyring)
{
char * wildcarded = ssl_wildcardify(*p);
if (!wildcarded)
{
ctx->enomem = 1;
}
else
{
keyring = (cert_t *) (wildcarded);
free(wildcarded);
}
}
free(*p);
}
free(names);
if (ctx->enomem)
{
return NULL;
}
if (keyring && OPTS_DEBUG(ctx->opts))
{
log_dbg_printf("Target keyring by origcrt\n");
}
}
if (keyring)
{
ctx->immutable_cert = 1;
}
}
if (!keyring && ctx->origcrt && ctx->opts->key)
{
keyring = cert_new();
keyring->cert = (X509 *) cachemgr_fkcrt_get(ctx->origcrt);
if (keyring->cert)
{
if (OPTS_DEBUG(ctx->opts)) log_dbg_printf("Certificate cache: HIT\n");
}
else
{
if (OPTS_DEBUG(ctx->opts)) log_dbg_printf("Certificate cache: MISS\n");
keyring->cert = ssl_x509_forge(ctx->opts->cacrt,
ctx->opts->cakey,
ctx->origcrt,
ctx->opts->key,
NULL,
ctx->opts->crlurl);
cachemgr_fkcrt_set(ctx->origcrt, keyring->cert);
}
cert_set_key(keyring, ctx->opts->key);
cert_set_chain(keyring, ctx->opts->chain);
ctx->generated_cert = 1;
}
if ((WANT_CONNECT_LOG(ctx) || ctx->opts->certgendir) && ctx->origcrt)
{
ctx->origcrtfpr = ssl_x509_fingerprint(ctx->origcrt, 0);
if (!ctx->origcrtfpr)
ctx->enomem = 1;
}
if ((WANT_CONNECT_LOG(ctx) || ctx->opts->certgen_writeall) &&
keyring && keyring->cert)
{
ctx->usedcrtfpr = ssl_x509_fingerprint(keyring->cert, 0);
if (!ctx->usedcrtfpr)
ctx->enomem = 1;
}
return keyring;
}
*/

18
platform/src/ssl_stream.cpp
View File

@@ -232,7 +232,7 @@ void ssl_free_chello(struct ssl_chello * p)
} }
struct ssl_stream * ssl_stream_new(struct ssl_mgr * mgr, evutil_socket_t fd, enum tfe_conn_dir dir, struct ssl_stream * ssl_stream_new(struct ssl_mgr * mgr, evutil_socket_t fd, enum tfe_conn_dir dir,
struct ssl_chello * client_hello, struct keyring * crt) struct ssl_chello * client_hello, struct keyring * kyr)
{ {
struct sockaddr addr; struct sockaddr addr;
socklen_t addrlen; socklen_t addrlen;
@@ -245,8 +245,8 @@ struct ssl_stream * ssl_stream_new(struct ssl_mgr * mgr, evutil_socket_t fd, enu
assert(ret == 0); assert(ret == 0);
switch (dir) switch (dir)
{ {
case CONN_DIR_DOWNSTREAM: s_stream->ssl = downstream_ssl_create(mgr, crt); case CONN_DIR_DOWNSTREAM: s_stream->ssl = downstream_ssl_create(mgr, kyr);
s_stream->keyring = crt; s_stream->keyring = kyr;
break; break;
case CONN_DIR_UPSTREAM: s_stream->ssl = upstream_ssl_create(mgr, client_hello, fd); case CONN_DIR_UPSTREAM: s_stream->ssl = upstream_ssl_create(mgr, client_hello, fd);
s_stream->client_hello = client_hello; s_stream->client_hello = client_hello;
@@ -1138,21 +1138,20 @@ void ask_keyring_on_succ(void * result, void * user)
struct ask_keyring_ctx * ctx = (struct ask_keyring_ctx *) promise_dettach_ctx(p); struct ask_keyring_ctx * ctx = (struct ask_keyring_ctx *) promise_dettach_ctx(p);
struct ssl_stream * downstream = NULL; struct ssl_stream * downstream = NULL;
struct keyring * crt = NULL; struct keyring * kyr = NULL;
struct ssl_mgr * mgr = ctx->ssl_mgr; struct ssl_mgr * mgr = ctx->ssl_mgr;
future_destroy(ctx->f_query_cert); future_destroy(ctx->f_query_cert);
ctx->f_query_cert = NULL; ctx->f_query_cert = NULL;
crt = key_keeper_release_cert(result); kyr = key_keeper_release_keyring(result); //kyr will be freed at ssl downstream closing.
ctx->downstream = ssl_stream_new(mgr, ctx->fd_downstream, CONN_DIR_DOWNSTREAM, NULL, crt); ctx->downstream = ssl_stream_new(mgr, ctx->fd_downstream, CONN_DIR_DOWNSTREAM, NULL, kyr);
ctx->bev_down = bufferevent_openssl_socket_new(ctx->evbase, ctx->fd_downstream, ctx->downstream->ssl, ctx->bev_down = bufferevent_openssl_socket_new(ctx->evbase, ctx->fd_downstream, ctx->downstream->ssl,
BUFFEREVENT_SSL_CONNECTING, BEV_OPT_DEFER_CALLBACKS); BUFFEREVENT_SSL_CONNECTING, BEV_OPT_DEFER_CALLBACKS);
bufferevent_openssl_set_allow_dirty_shutdown(ctx->bev_down, 1); bufferevent_openssl_set_allow_dirty_shutdown(ctx->bev_down, 1);
promise_success(p, ctx); promise_success(p, ctx);
key_keeper_free_keyring(crt);
query_cert_ctx_free(ctx); query_cert_ctx_free(ctx);
} }
@@ -1173,7 +1172,7 @@ void ssl_async_downstream_create(struct future * f, struct ssl_mgr * mgr, struct
{ {
assert(upstream->dir == CONN_DIR_UPSTREAM); assert(upstream->dir == CONN_DIR_UPSTREAM);
const char* sni=NULL;
struct ask_keyring_ctx * ctx = ALLOC(struct ask_keyring_ctx, 1); struct ask_keyring_ctx * ctx = ALLOC(struct ask_keyring_ctx, 1);
ctx->keyring_id = keyring_id; ctx->keyring_id = keyring_id;
ctx->ssl_mgr = mgr; ctx->ssl_mgr = mgr;
@@ -1184,6 +1183,7 @@ void ssl_async_downstream_create(struct future * f, struct ssl_mgr * mgr, struct
{ {
ctx->origin_ssl = upstream; ctx->origin_ssl = upstream;
ctx->origin_crt = SSL_get_peer_certificate(upstream->ssl); ctx->origin_crt = SSL_get_peer_certificate(upstream->ssl);
sni=upstream->client_hello->sni;
} }
struct promise * p = future_to_promise(f); struct promise * p = future_to_promise(f);
@@ -1194,7 +1194,7 @@ void ssl_async_downstream_create(struct future * f, struct ssl_mgr * mgr, struct
ATOMIC_INC(&(mgr->stat_val[SSL_FAKE_CRT])); ATOMIC_INC(&(mgr->stat_val[SSL_FAKE_CRT]));
} }
ctx->f_query_cert = future_create("ask_kyr",ask_keyring_on_succ, ask_keyring_on_fail, p); ctx->f_query_cert = future_create("ask_kyr",ask_keyring_on_succ, ask_keyring_on_fail, p);
key_keeper_async_ask(ctx->f_query_cert, mgr->keeper_of_keys, keyring_id, ctx->origin_crt, ctx->is_origin_crt_vaild, key_keeper_async_ask(ctx->f_query_cert, mgr->keeper_of_keys, sni, keyring_id, ctx->origin_crt, ctx->is_origin_crt_vaild,
evbase); evbase);
return; return;
} }

2
platform/src/tcp_stream.cpp
View File

@@ -552,7 +552,7 @@ void tfe_stream_destory(struct tfe_stream_private * stream)
if (__IS_SSL(stream) && stream->ssl_downstream) if (__IS_SSL(stream) && stream->ssl_downstream)
{ {
evutil_socket_t __to_closed_fd = __conn_private_release_fd(stream->conn_upstream); evutil_socket_t __to_closed_fd = __conn_private_release_fd(stream->conn_downstream);
ssl_stream_free_and_close_fd(stream->ssl_downstream, ev_base, __to_closed_fd); ssl_stream_free_and_close_fd(stream->ssl_downstream, ev_base, __to_closed_fd);
} }

2
platform/test/test_key_keeper.cpp
View File

@@ -20,7 +20,7 @@ main()
for(i = 0;i<10;i++){ for(i = 0;i<10;i++){
printf("-------------------------------\n"); printf("-------------------------------\n");
printf("call key_keeper_async_ask, i = %d\n", i); printf("call key_keeper_async_ask, i = %d\n", i);
key_keeper_async_ask(f, keeper, 0, origin_cert, 0, evbase); key_keeper_async_ask(f, keeper, NULL, 0, origin_cert, 0, evbase);
} }
} }

3
platform/test/test_tfe_rpc.cpp
View File

@@ -31,7 +31,7 @@ int main()
{ {
char cert_store_host[TFE_STRING_MAX]; char cert_store_host[TFE_STRING_MAX];
unsigned int cert_store_port; unsigned int cert_store_port;
const char* file_path = "./log/test_tfe_rpc.log"; const char* file_path = "./log/test_tfe_rpc.log",*host="localhost";
void * logger = MESA_create_runtime_log_handle(file_path, RLOG_LV_INFO); void * logger = MESA_create_runtime_log_handle(file_path, RLOG_LV_INFO);
const char* profile = "./conf/tfe.conf"; const char* profile = "./conf/tfe.conf";
const char* section = "key_keeper"; const char* section = "key_keeper";
@@ -48,3 +48,4 @@ int main()
tfe_rpc_async_ask(f_tfe_rpc, rpc, url, GET, DONE_CB, NULL, 0, evbase); tfe_rpc_async_ask(f_tfe_rpc, rpc, url, GET, DONE_CB, NULL, 0, evbase);
event_base_dispatch(evbase); event_base_dispatch(evbase);
} }