gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

开启证书CRL检查,忽略找不到CRL的证书校验错误。

Browse Source
This commit is contained in:
zhengchao
2018-11-01 12:28:40 +08:00
parent 198818a2aa
commit b17b5fcd00
3 changed files with 32 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
platform/src/ssl_stream.cpp
View File

@@ -132,6 +132,8 @@ struct ssl_mgr
uint8_t ssl_mode_release_buffers; uint8_t ssl_mode_release_buffers;
char trust_CA_file[TFE_PATH_MAX]; char trust_CA_file[TFE_PATH_MAX];
char crl_file[TFE_PATH_MAX];
struct ssl_trusted_cert_storage * trust_CA_store; struct ssl_trusted_cert_storage * trust_CA_store;
struct key_keeper * key_keeper; struct key_keeper * key_keeper;
struct event_base * ev_base_gc; struct event_base * ev_base_gc;
@@ -569,7 +571,11 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
TFE_LOG_ERROR(logger, "Failed at creating X509_STORE"); TFE_LOG_ERROR(logger, "Failed at creating X509_STORE");
goto error_out; goto error_out;
} }
MESA_load_profile_string_def(ini_profile, section, "crl_file", mgr->crl_file, sizeof(mgr->crl_file), "");
if(strlen(mgr->crl_file)>0)
{
ssl_trusted_cert_storage_add(mgr->trust_CA_store, SSL_X509_OBJ_CRL, mgr->crl_file);
}
memcpy(mgr->ssl_session_context, "mesa-tfe", sizeof(mgr->ssl_session_context)); memcpy(mgr->ssl_session_context, "mesa-tfe", sizeof(mgr->ssl_session_context));

33
platform/src/ssl_trusted_cert_storage.cpp
View File

@@ -50,6 +50,11 @@ static X509_STORE* _X509_store_create(const char* pem_bundle)
{ {
return NULL; return NULL;
} }
X509_VERIFY_PARAM *param=NULL;
param = X509_VERIFY_PARAM_new();
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
X509_STORE_set1_param(store, param);
X509_VERIFY_PARAM_free(param);
return store; return store;
} }
static MESA_htable_handle _create_mesa_htable(void) static MESA_htable_handle _create_mesa_htable(void)
@@ -101,7 +106,8 @@ static int _X509_add_cert_or_crl_add(X509_STORE* store, enum ssl_X509_obj_type
BIO *bio=NULL; BIO *bio=NULL;
X509* x=NULL; X509* x=NULL;
X509_CRL* x_crl=NULL; X509_CRL* x_crl=NULL;
int error;
bio=BIO_new_file(filename, "r"); bio=BIO_new_file(filename, "r");
if(bio==NULL) if(bio==NULL)
{ {
@@ -110,26 +116,26 @@ static int _X509_add_cert_or_crl_add(X509_STORE* store, enum ssl_X509_obj_type
ret=0; ret=0;
if(type==SSL_X509_OBJ_CERT) if(type==SSL_X509_OBJ_CERT)
{ {
x=PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL); while(NULL!=(x=PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL)))
if(x!=NULL)
{ {
ret=X509_STORE_add_cert(store, x); ret=X509_STORE_add_cert(store, x);
if(ret==0) if(ret==0)
{ {
X509_free(x); X509_free(x);
break;
} }
} }
} }
else if(type==SSL_X509_OBJ_CRL) else if(type==SSL_X509_OBJ_CRL)
{ {
x_crl=PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL); while(NULL!=(x_crl=PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL)))
if(x_crl!=NULL)
{ {
ret=X509_STORE_add_crl(store, x_crl); ret=X509_STORE_add_crl(store, x_crl);
if(ret==0) if(ret==0)
{ {
X509_CRL_free(x_crl); X509_CRL_free(x_crl);
} break;
}
} }
} }
if(ret==0) if(ret==0)
@@ -227,17 +233,19 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag
// The peer certificate chain is not necessarily available after reusing a session, in which case a NULL pointer is returned. // The peer certificate chain is not necessarily available after reusing a session, in which case a NULL pointer is returned.
return 1; return 1;
} }
pthread_rwlock_rdlock(&(storage->rwlock));
X509_STORE_CTX * ctx = X509_STORE_CTX_new(); X509_STORE_CTX * ctx = X509_STORE_CTX_new();
X509 * cert = sk_X509_value(cert_chain, 0); X509 * cert = sk_X509_value(cert_chain, 0);
pthread_rwlock_rdlock(&(storage->rwlock));
ret = X509_STORE_CTX_init(ctx, storage->effective_store, cert, cert_chain); ret = X509_STORE_CTX_init(ctx, storage->effective_store, cert, cert_chain);
assert(ret == 1); assert(ret == 1);
//If a complete chain can be built and validated this function returns 1, otherwise it return zero or negtive code. //If a complete chain can be built and validated this function returns 1, otherwise it return zero or negtive code.
ret = X509_verify_cert(ctx); ret = X509_verify_cert(ctx);
if(ret!=1) err_code=X509_STORE_CTX_get_error(ctx);
if(ret!=1 && err_code!=X509_V_ERR_UNABLE_TO_GET_CRL && err_code!=X509_V_ERR_DIFFERENT_CRL_SCOPE)
{ {
err_code=X509_STORE_CTX_get_error(ctx);
subj=ssl_x509_subject(cert); subj=ssl_x509_subject(cert);
issuer=ssl_x509_issuer(cert); issuer=ssl_x509_issuer(cert);
snprintf(reason, n_reason, "%s : subject - %s issuer - %s" snprintf(reason, n_reason, "%s : subject - %s issuer - %s"
@@ -246,9 +254,14 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag
, issuer); , issuer);
free(subj); free(subj);
free(issuer); free(issuer);
ret=0;
}
else
{
ret=1;
} }
X509_STORE_CTX_free(ctx); X509_STORE_CTX_free(ctx);
pthread_rwlock_unlock(&(storage->rwlock)); pthread_rwlock_unlock(&(storage->rwlock));
return (ret == 1); return ret;
} }

5
plugin/business/pangu-http/src/pangu_http.cpp
View File

@@ -1055,13 +1055,12 @@ static void cache_pending_on_fail(enum e_future_error err, const char * what, vo
void cache_pending(const struct tfe_http_session * session, unsigned int thread_id, struct pangu_http_ctx * ctx) void cache_pending(const struct tfe_http_session * session, unsigned int thread_id, struct pangu_http_ctx * ctx)
{ {
enum cache_pending_result ret; enum cache_pending_result ret;
ctx->f_cache_pending=future_create("cache_pend", cache_pending_on_succ, cache_pending_on_fail, ctx); ctx->f_cache_pending=future_create("cache_pend", cache_pending_on_succ, cache_pending_on_fail, ctx);
ctx->ref_session=tfe_http_session_allow_write(session);
ctx->pending_result=web_cache_async_pending(g_pangu_rt->cache, thread_id, session->req, ctx->f_cache_pending); ctx->pending_result=web_cache_async_pending(g_pangu_rt->cache, thread_id, session->req, ctx->f_cache_pending);
switch(ctx->pending_result) switch(ctx->pending_result)
{ {
case PENDING_RESULT_REVALIDATE: case PENDING_RESULT_REVALIDATE:
ctx->ref_session=tfe_http_session_allow_write(session);
assert(ctx->ref_session != NULL);
tfe_http_session_suspend(ctx->ref_session); tfe_http_session_suspend(ctx->ref_session);
break; break;
case PENDING_RESULT_ALLOWED: case PENDING_RESULT_ALLOWED: