gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

修正部分TCP处理流程中FD所有权转移有误,导致的fd潜在的double-free。

Browse Source
This commit is contained in:
luqiuwen
2019-09-05 11:37:37 +08:00
parent 021500f42a
commit c9d814e17b
6 changed files with 141 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

164
platform/src/ssl_stream.cpp
View File

@@ -76,12 +76,12 @@ enum ssl_stream_stat
SSL_UP_CACHE_SZ,
SSL_UP_CACHE_QUERY,
SSL_UP_CACHE_HIT,
SSL_DOWN_NEW,
SSL_DOWN_ERR,
SSL_DOWN_ERR_NO_CERT,
SSL_DOWN_ERR_INAPPROPRIATE_FALLBACK,
SSL_DOWN_ERR_INAPPROPRIATE_FALLBACK,
SSL_DOWN_CLOSING,
SSL_DOWN_CLOSED,
SSL_DOWN_DIRTY_CLOSED,
@@ -92,7 +92,7 @@ enum ssl_stream_stat
SSL_DOWN_TICKET_REUSE,
SSL_DOWN_TICKET_NOTFOUND,
SSL_DOWN_TIKCET_QUERY,
SSL_NO_CHELLO,
SSL_NO_SNI,
SSL_FAKE_CRT,
@@ -140,7 +140,7 @@ struct ssl_mgr
struct sess_cache * down_sess_cache;
struct sess_cache * up_sess_cache;
struct sess_ticket_box * down_stek_box;
struct ssl_service_cache* svc_cache;
ssl_stream_new_hook* on_new_upstream_cb;
void* upstream_cb_param;
@@ -165,7 +165,7 @@ struct ssl_mgr
unsigned int log_master_key;
char master_key_file[TFE_PATH_MAX];
FILE* fp_master_key;
void * logger;
screen_stat_handle_t fs_handle;
long long stat_val[SSL_STAT_MAX];
@@ -185,7 +185,7 @@ struct ssl_bypass_condition
};
struct ssl_upstream_parts
{
struct cert_verify_param verify_param;
struct cert_verify_result verify_result;
char block_fake_cert;
@@ -194,7 +194,7 @@ struct ssl_upstream_parts
int apln_enabled;
int keyring_id;
struct ssl_chello * client_hello;
int is_server_cert_verify_passed;
int is_server_cert_verify_passed;
};
struct ssl_downstream_parts
{
@@ -243,9 +243,9 @@ struct ssl_connect_server_ctx
evutil_socket_t fd_upstream;
evutil_socket_t fd_downstream;
struct tfe_stream* tcp_stream;
struct future * f_peek_chello;
struct timespec start,end;
};
@@ -343,7 +343,7 @@ ssl_stream_gc_cb(evutil_socket_t fd, short what, void * arg)
struct ssl_mgr *mgr=(struct ssl_mgr *)arg;
int i=0;
if(!mgr->no_sesscache)
{
{
ssl_sess_cache_stat(mgr->up_sess_cache, &(mgr->stat_val[SSL_UP_CACHE_SZ]), &(mgr->stat_val[SSL_UP_CACHE_QUERY]), &(mgr->stat_val[SSL_UP_CACHE_HIT]));
ssl_sess_cache_stat(mgr->down_sess_cache, &(mgr->stat_val[SSL_DOWN_CACHE_SZ]), &(mgr->stat_val[SSL_DOWN_CACHE_QUERY]), &(mgr->stat_val[SSL_DOWN_CACHE_HIT]));
}
@@ -352,14 +352,14 @@ ssl_stream_gc_cb(evutil_socket_t fd, short what, void * arg)
mgr->stat_val[KEY_KEEPER_ASK]=keeper_stat.ask_times;
mgr->stat_val[KEY_KEEPER_ISSUE]=keeper_stat.new_issue;
mgr->stat_val[KEY_KEEPER_CACHE_SIZE]=keeper_stat.cached_num;
struct ssl_service_cache_statistics svc_stat;
memset(&svc_stat, 0, sizeof(svc_stat));
ssl_service_cache_stat(mgr->svc_cache, &svc_stat);
mgr->stat_val[SSL_SVC_PINNING]=svc_stat.pinning_cli_cnt;
mgr->stat_val[SSL_SVC_MAUTH]=svc_stat.mutual_auth_cli_cnt;
mgr->stat_val[SSL_SVC_CT_CERT]=svc_stat.ct_srv_cnt;
mgr->stat_val[SSL_SVC_EV_CERT]=svc_stat.ev_srv_cnt;
mgr->stat_val[SSL_SVC_EV_CERT]=svc_stat.ev_srv_cnt;
mgr->stat_val[SSL_SVC_APP_NOT_PINNING]=svc_stat.app_not_pinning_cnt;
for(i=0;i<SSL_STAT_MAX;i++)
{
@@ -379,25 +379,25 @@ void ssl_stat_init(struct ssl_mgr * mgr)
spec[SSL_UP_ERR]="ussl_err";
spec[SSL_UP_ERR_NO_CIPHER]="ussl_e_ciph";
spec[SSL_UP_ERR_UNSUPPORT_PROTO]="ussl_e_prt";
spec[SSL_UP_CLOSING]="ussl_clsing";
spec[SSL_UP_CLOSED]="ussl_clsd";
spec[SSL_UP_DIRTY_CLOSED]="ussl_dt_cls";
spec[SSL_UP_CACHE_SZ]="usess_cache";
spec[SSL_UP_CACHE_QUERY]="usess_query";
spec[SSL_UP_CACHE_HIT]="usess_hitn";
spec[SSL_DOWN_NEW]="dssl_new";
spec[SSL_DOWN_ERR]="dssl_err";
spec[SSL_DOWN_ERR_NO_CERT]="dssl_e_cert";
spec[SSL_DOWN_ERR_INAPPROPRIATE_FALLBACK]="dssl_e_fb";
spec[SSL_DOWN_CLOSING]="dssl_clsing";
spec[SSL_DOWN_CLOSING]="dssl_clsing";
spec[SSL_DOWN_CLOSED]="dssl_clsd";
spec[SSL_DOWN_DIRTY_CLOSED]="dssl_dt_cls";
spec[SSL_DOWN_CACHE_SZ]="dsess_cache";
spec[SSL_DOWN_CACHE_QUERY]="dcache_query";
spec[SSL_DOWN_CACHE_HIT]="dsess_hitn";
if(!mgr->no_sessticket)
{
spec[SSL_DOWN_TICKET_NEW]="dtkt_new";
@@ -417,7 +417,7 @@ void ssl_stat_init(struct ssl_mgr * mgr)
spec[SSL_SVC_CT_CERT]="ssl_ct_crt";
spec[SSL_SVC_EV_CERT]="ssl_ev_crt";
spec[SSL_SVC_APP_NOT_PINNING]="app_no_pinning";
for(i=0;i<SSL_STAT_MAX;i++)
{
@@ -431,10 +431,10 @@ void ssl_stat_init(struct ssl_mgr * mgr)
FS_set_para(mgr->fs_handle, ID_INVISBLE, &value, sizeof(value));
value=mgr->fs_id[SSL_UP_CACHE_QUERY];
FS_set_para(mgr->fs_handle, ID_INVISBLE, &value, sizeof(value));
FS_register_ratio(mgr->fs_handle,
mgr->fs_id[SSL_UP_CACHE_HIT],
mgr->fs_id[SSL_UP_CACHE_QUERY],
mgr->fs_id[SSL_UP_CACHE_HIT],
mgr->fs_id[SSL_UP_CACHE_QUERY],
1,
FS_STYLE_STATUS,
FS_CALC_CURRENT,
@@ -444,10 +444,10 @@ void ssl_stat_init(struct ssl_mgr * mgr)
FS_set_para(mgr->fs_handle, ID_INVISBLE, &value, sizeof(value));
value=mgr->fs_id[SSL_DOWN_CACHE_QUERY];
FS_set_para(mgr->fs_handle, ID_INVISBLE, &value, sizeof(value));
FS_register_ratio(mgr->fs_handle,
mgr->fs_id[SSL_DOWN_CACHE_HIT],
mgr->fs_id[SSL_DOWN_CACHE_QUERY],
mgr->fs_id[SSL_DOWN_CACHE_HIT],
mgr->fs_id[SSL_DOWN_CACHE_QUERY],
1,
FS_STYLE_STATUS,
FS_CALC_CURRENT,
@@ -457,21 +457,21 @@ void ssl_stat_init(struct ssl_mgr * mgr)
{
value=mgr->fs_id[SSL_DOWN_TIKCET_QUERY];
FS_set_para(mgr->fs_handle, ID_INVISBLE, &value, sizeof(value));
value=mgr->fs_id[SSL_DOWN_TICKET_REUSE];
FS_set_para(mgr->fs_handle, ID_INVISBLE, &value, sizeof(value));
FS_register_ratio(mgr->fs_handle,
mgr->fs_id[SSL_DOWN_TICKET_REUSE],
mgr->fs_id[SSL_DOWN_TIKCET_QUERY],
mgr->fs_id[SSL_DOWN_TICKET_REUSE],
mgr->fs_id[SSL_DOWN_TIKCET_QUERY],
1,
FS_STYLE_STATUS,
FS_CALC_CURRENT,
"dtkt_hit");
}
struct timeval gc_delay = {0, 500*1000}; //Microseconds, we set 500 miliseconds here.
mgr->gcev = event_new(mgr->ev_base_gc, -1, EV_PERSIST, ssl_stream_gc_cb, mgr);
mgr->gcev = event_new(mgr->ev_base_gc, -1, EV_PERSIST, ssl_stream_gc_cb, mgr);
evtimer_add(mgr->gcev, &gc_delay);
return;
@@ -537,12 +537,12 @@ static void ssl_stream_free(struct ssl_stream * s_stream)
{
key_keeper_free_keyring(s_stream->down_parts.keyring);
s_stream->down_parts.keyring = NULL;
}
}
ATOMIC_INC(&(s_stream->mgr->stat_val[SSL_DOWN_CLOSED]));
break;
case CONN_DIR_UPSTREAM:
if (s_stream->up_parts.client_hello != NULL)
{
{
ssl_chello_free(s_stream->up_parts.client_hello);
s_stream->up_parts.client_hello = NULL;
}
@@ -609,7 +609,7 @@ void ssl_manager_destroy(struct ssl_mgr * mgr)
}
struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section,
struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section,
struct event_base * ev_base_gc, void * logger)
{
unsigned int stek_group_num = 0;
@@ -656,7 +656,7 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
MESA_load_profile_uint_def(ini_profile, section, "no_tls10", &(mgr->no_tls10), 0);
MESA_load_profile_uint_def(ini_profile, section, "no_tls11", &(mgr->no_tls11), 0);
MESA_load_profile_uint_def(ini_profile, section, "no_tls12", &(mgr->no_tls12), 0);
MESA_load_profile_string_def(ini_profile, section, "default_ciphers", mgr->default_ciphers,
MESA_load_profile_string_def(ini_profile, section, "default_ciphers", mgr->default_ciphers,
sizeof(mgr->default_ciphers), DFLT_CIPHERS);
MESA_load_profile_uint_def(ini_profile, section, "no_session_cache", &(mgr->no_sesscache), 0);
@@ -670,14 +670,14 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
&(mgr->sess_cache_slots), 4 * 1024 * 1024);
MESA_load_profile_uint_def(ini_profile, section, "session_cache_expire_seconds",
&(mgr->sess_expire_seconds), 30 * 60);
if(!mgr->no_sesscache)
{
mgr->up_sess_cache = ssl_sess_cache_create(mgr->sess_cache_slots, mgr->sess_expire_seconds, CONN_DIR_UPSTREAM);
mgr->down_sess_cache = ssl_sess_cache_create(mgr->sess_cache_slots, mgr->sess_expire_seconds, CONN_DIR_DOWNSTREAM);
}
MESA_load_profile_uint_def(ini_profile, section, "stek_group_num", &stek_group_num, 1);
MESA_load_profile_uint_def(ini_profile, section, "stek_rotation_time", &stek_rotation_time, 3600);
@@ -712,7 +712,7 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
TFE_LOG_ERROR(logger, "Certificate Manager initiate failed.");
goto error_out;
}
MESA_load_profile_uint_def(ini_profile, section, "trusted_cert_load_local",
&(mgr->trusted_cert_load_local), 1);
@@ -721,10 +721,10 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
{
MESA_load_profile_string_def(ini_profile, section, "trusted_cert_file", mgr->trusted_cert_file, sizeof(mgr->trusted_cert_file),
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem");
MESA_load_profile_string_def(ini_profile, section, "trusted_cert_dir", mgr->trusted_cert_dir, sizeof(mgr->trusted_cert_dir),
"./resource/tfe/trusted_storage");
}
}
mgr->trust_CA_store = ssl_trusted_cert_storage_create(mgr->trusted_cert_file, mgr->trusted_cert_dir, &(mgr->cert_verify_param));
if (mgr->trust_CA_store == NULL)
{
@@ -746,7 +746,7 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
mgr->log_master_key=0;
}
}
mgr->fs_handle=tfe_proxy_get_fs_handle();
ssl_stat_init(mgr);
return mgr;
@@ -786,7 +786,7 @@ static void peek_client_hello_cb(evutil_socket_t fd, short what, void * arg)
//use promise_get_ctx instead of promise_dettach_ctx for try more times.
struct peek_client_hello_ctx * ctx = (struct peek_client_hello_ctx *) promise_get_ctx(promise);
enum chello_parse_result chello_status=CHELLO_PARSE_INVALID_FORMAT;
struct ssl_chello* chello=NULL;
struct ssl_chello* chello=NULL;
const char * reason = NULL;
unsigned char buf[2048];
ssize_t n = 0;
@@ -826,7 +826,7 @@ static void peek_client_hello_cb(evutil_socket_t fd, short what, void * arg)
reason = "too many peek retries";
goto failed;
}
/* ssl_tls_clienthello_parse indicates that we
* should retry later when we have more data, and we
* haven't reached the maximum retry count yet.
@@ -836,7 +836,7 @@ static void peek_client_hello_cb(evutil_socket_t fd, short what, void * arg)
* never actually read them, fd is still ready for
* reading now. We use 25 * 0.2 s = 5 s timeout. */
struct timeval retry_delay = {0, 100};
event_del(ctx->ev);
event_del(ctx->ev);
event_free(ctx->ev);
ctx->ev = event_new(ctx->evbase, fd, 0, peek_client_hello_cb, promise);
assert(ctx->ev != NULL);
@@ -942,10 +942,10 @@ static int upstream_ossl_init(struct ssl_stream* s_stream)
TFE_LOG_ERROR(mgr->logger, "ssl set max proto version failed %d.", s_stream->ssl_max_version);
return -1;
}
SSL_CTX_set_verify(sslctx, SSL_VERIFY_NONE, NULL);
SSL_CTX_set_client_cert_cb(sslctx, ossl_client_cert_cb);
if(mgr->no_sesscache)
{
SSL_CTX_set_session_cache_mode(sslctx, SSL_SESS_CACHE_OFF);
@@ -955,7 +955,7 @@ static int upstream_ossl_init(struct ssl_stream* s_stream)
SSL_CTX_set_session_cache_mode(sslctx, SSL_SESS_CACHE_NO_INTERNAL);
/* session resuming based on remote endpoint address and port */
sess = up_session_get(mgr->up_sess_cache,
(struct sockaddr *) &(s_stream->peer_addr), s_stream->peer_addrlen, chello->sni,
(struct sockaddr *) &(s_stream->peer_addr), s_stream->peer_addrlen, chello->sni,
s_stream->ssl_min_version, s_stream->ssl_max_version);
if (sess)
{
@@ -1098,7 +1098,7 @@ unsigned long ssl_stream_log_error(struct bufferevent * bev, enum tfe_conn_dir d
}
if(fs_id>=0)
{
mgr->stat_val[fs_id]++;
mgr->stat_val[fs_id]++;
}
if (!errno && !sslerr)
{
@@ -1194,7 +1194,7 @@ void ssl_stream_process_error(struct ssl_stream * s_stream, unsigned long sslerr
{
s_upstream->svc_status.cli_pinning_status=PINNING_ST_PINNING;
ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_PINNING_STATE, PINNING_ST_PINNING);
ssl_service_cache_write(mgr->svc_cache, s_upstream->client_hello, s_stream->tcp_stream->addr, &s_upstream->svc_status);
ssl_service_cache_write(mgr->svc_cache, s_upstream->client_hello, s_stream->tcp_stream->addr, &s_upstream->svc_status);
}
else if(sslerr>0 && sslerr!=SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN)
{
@@ -1204,7 +1204,7 @@ void ssl_stream_process_error(struct ssl_stream * s_stream, unsigned long sslerr
break;
case CONN_DIR_UPSTREAM:
s_upstream=&(s_stream->up_parts);
s_upstream->svc_status.has_protocol_errors=1;
s_upstream->svc_status.has_protocol_errors=1;
ssl_service_cache_write(mgr->svc_cache, s_stream->up_parts.client_hello, s_stream->tcp_stream->addr, &(s_stream->up_parts.svc_status));
break;
default:
@@ -1261,8 +1261,8 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
s_stream->error=SSL_STREAM_R_SERVER_PROTOCOL_ERROR;
}
else if(events & BEV_EVENT_EOF)
{
ATOMIC_INC(&(ctx->mgr->stat_val[SSL_UP_ERR]));
{
ATOMIC_INC(&(ctx->mgr->stat_val[SSL_UP_ERR]));
s_stream->error=SSL_STREAM_R_SERVER_CLOSED;
}
else if(events & BEV_EVENT_TIMEOUT)
@@ -1271,7 +1271,7 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
s_stream->error=SSL_STREAM_R_CONNECT_SERVER_TIMEOUT;
}
else if(events & BEV_EVENT_CONNECTED)
{
{
bufferevent_disable(ctx->bev, EV_READ | EV_WRITE);
bufferevent_setcb(ctx->bev, NULL, NULL, NULL, NULL); //leave a clean bev for on_success
clock_gettime(CLOCK_MONOTONIC, &(ctx->end));
@@ -1279,7 +1279,7 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
if(jiffies_ms>LATENCY_WARNING_THRESHOLD_MS)
{
TFE_LOG_ERROR(mgr->logger, "Warning: ssl connect server latency %ld ms: addr=%s, sni=%s",
jiffies_ms,
jiffies_ms,
s_stream->tcp_stream->str_stream_info,
s_upstream->client_hello->sni);
}
@@ -1293,8 +1293,8 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
s_upstream->is_server_cert_verify_passed=1;
}
else
{
s_upstream->is_server_cert_verify_passed = ssl_trusted_cert_storage_verify_conn(s_stream->mgr->trust_CA_store,
{
s_upstream->is_server_cert_verify_passed = ssl_trusted_cert_storage_verify_conn(s_stream->mgr->trust_CA_store,
s_stream->ssl, s_stream->up_parts.client_hello->sni, &(s_stream->up_parts.verify_param),
error_str, sizeof(error_str), &(s_stream->up_parts.verify_result));
s_upstream->svc_status.is_ct=s_upstream->verify_result.is_ct;
@@ -1333,7 +1333,7 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
else
{
//Do not perform cert verification on reused session.
s_upstream->is_server_cert_verify_passed=1;
s_upstream->is_server_cert_verify_passed=1;
}
if(mgr->log_master_key)
{
@@ -1478,7 +1478,7 @@ void ssl_async_upstream_create(struct future * f, struct ssl_mgr * mgr, evutil_s
ctx->f_peek_chello = future_create("peek_sni", peek_chello_on_succ, peek_chello_on_fail, p);
ssl_async_peek_client_hello(ctx->f_peek_chello, fd_downstream, evbase, mgr->logger);
}
static int ossl_session_ticket_key_callback(SSL *ssl_conn,
unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx,
@@ -1494,14 +1494,14 @@ static int ossl_session_ticket_key_callback(SSL *ssl_conn,
const char * sni = s_stream->peer->up_parts.client_hello->sni;
struct sess_ticket_box * stek_box = s_stream->mgr->down_stek_box;
struct sess_ticket_key cur_stek;
unsigned char buf[33]={0};
unsigned char buf[33]={0};
ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_TIKCET_QUERY]));
if (enc == 1)
{
sess_ticket_box_get_key_for_enc(stek_box, sni, &cur_stek);
/* encrypt session stek */
/* encrypt session stek */
if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) != 1)
{
TFE_LOG_ERROR(mgr->logger, "Session Ticket RAND_bytes() failed");
@@ -1514,7 +1514,7 @@ static int ossl_session_ticket_key_callback(SSL *ssl_conn,
ret=STEK_ERROR;
goto leave;
}
if (HMAC_Init_ex(hctx, cur_stek.hmac_key, size, digest, NULL) != 1)
if (HMAC_Init_ex(hctx, cur_stek.hmac_key, size, digest, NULL) != 1)
{
TFE_LOG_ERROR(mgr->logger, "HMAC_Init_ex() failed");
ret=STEK_ERROR;
@@ -1523,10 +1523,10 @@ static int ossl_session_ticket_key_callback(SSL *ssl_conn,
memcpy(name, cur_stek.name, sizeof(cur_stek.name));
ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_TICKET_NEW]));
ret=STEK_FOUND_FRESH;
}
else
}
else
{
/* decrypt session stek */
/* decrypt session stek */
ret=sess_ticket_box_get_key_for_dec(stek_box, sni, name, &cur_stek);
if(ret==STEK_FOUND_FRESH||ret==STEK_FOUND_STALED)
@@ -1536,8 +1536,8 @@ static int ossl_session_ticket_key_callback(SSL *ssl_conn,
TFE_LOG_ERROR(logger, "HMAC_Init_ex() failed");
ret= STEK_ERROR;
goto leave;
}
if (EVP_DecryptInit_ex(ectx, cipher, NULL, cur_stek.aes_key, iv) != 1)
}
if (EVP_DecryptInit_ex(ectx, cipher, NULL, cur_stek.aes_key, iv) != 1)
{
TFE_LOG_ERROR(logger, "EVP_DecryptInit_ex() failed");
ret= STEK_ERROR;
@@ -1552,7 +1552,7 @@ static int ossl_session_ticket_key_callback(SSL *ssl_conn,
ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_TICKET_NOTFOUND]));
}
}
leave:
return (int)ret;
}
@@ -1639,7 +1639,7 @@ static void sslctx_set_opts(SSL_CTX * sslctx, struct ssl_mgr * mgr)
{
SSL_CTX_set_options(sslctx, SSL_OP_NO_SSLv2);
}
if (mgr->no_ssl3)
if (mgr->no_ssl3)
{
SSL_CTX_set_options(sslctx, SSL_OP_NO_SSLv3);
}
@@ -1780,7 +1780,7 @@ void downstream_ossl_init(struct ssl_stream *s_stream)
ret = SSL_set_ex_data(ssl, SSL_EX_DATA_IDX_SSLSTREAM, s_stream);
assert(ret == 1);
if (mgr->ssl_mode_release_buffers == 1)
{
/* lower memory footprint for idle connections */
@@ -1794,7 +1794,7 @@ void ssl_connect_client_ctx_free(struct ssl_connect_client_ctx * ctx)
{
X509_free(ctx->origin_crt);
ctx->origin_crt=NULL;
if (ctx->f_ask_keyring != NULL)
{
future_destroy(ctx->f_ask_keyring);
@@ -1842,9 +1842,9 @@ static void ssl_client_connected_eventcb(struct bufferevent * bev, short events,
struct ssl_stream * s_stream = ctx->downstream;
struct ssl_upstream_parts* s_upstream= &(ctx->peer->up_parts);
struct ssl_mgr* mgr=s_stream->mgr;
struct ssl_mgr* mgr=s_stream->mgr;
char error_str[TFE_STRING_MAX]={0};
uint64_t jiffies_ms=0;
uint64_t jiffies_ms=0;
unsigned long sslerr=0;
if (events & BEV_EVENT_ERROR)
{
@@ -1857,7 +1857,7 @@ static void ssl_client_connected_eventcb(struct bufferevent * bev, short events,
s_stream->error=SSL_STREAM_R_CLIENT_PROTOCOL_ERROR;
}
else if(events & BEV_EVENT_EOF)
{
{
ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_ERR]));
ssl_stream_process_zero_eof(s_stream, mgr);
}
@@ -1868,14 +1868,14 @@ static void ssl_client_connected_eventcb(struct bufferevent * bev, short events,
}
else if(events & BEV_EVENT_CONNECTED)
{
clock_gettime(CLOCK_MONOTONIC, &(ctx->end));
jiffies_ms=(ctx->end.tv_sec-ctx->start.tv_sec)*1000+(ctx->end.tv_nsec-ctx->start.tv_nsec)/1000000;
if(jiffies_ms>LATENCY_WARNING_THRESHOLD_MS)
{
TFE_LOG_ERROR(mgr->logger, "Warning: ssl connect client latency %ld ms: addr=%s, sni=%s",
jiffies_ms,
s_stream->tcp_stream->str_stream_info,
TFE_LOG_ERROR(mgr->logger, "Warning: ssl connect client latency %ld ms: addr=%s, sni=%s",
jiffies_ms,
s_stream->tcp_stream->str_stream_info,
s_upstream->client_hello->sni);
}
s_stream->connect_latency_ms=jiffies_ms;
@@ -1895,7 +1895,7 @@ static void ssl_client_connected_eventcb(struct bufferevent * bev, short events,
// ssl_service_cache_write(mgr->svc_cache, s_upstream->client_hello, s_stream->tcp_stream->addr, &svc_status);
promise_success(p, ctx);
}
if(s_stream->error)
{
ssl_stream_set_cmsg_string(s_stream, TFE_CMSG_SSL_ERROR, ssl_stream_get_error_string(s_stream->error));
@@ -1917,7 +1917,7 @@ void ask_keyring_on_succ(void * result, void * user)
struct event_base* evbase=tfe_proxy_get_work_thread_evbase(ctx->tcp_stream->thread_id);
kyr = key_keeper_release_keyring(result); //kyr will be freed at ssl downstream closing.
clock_gettime(CLOCK_MONOTONIC, &(ctx->start));
ctx->downstream = ssl_stream_new(mgr, ctx->fd_downstream, CONN_DIR_DOWNSTREAM, NULL,
kyr, ctx->peer, ctx->tcp_stream);
@@ -1925,7 +1925,7 @@ void ask_keyring_on_succ(void * result, void * user)
ctx->bev_down = bufferevent_openssl_socket_new(evbase, ctx->fd_downstream, ctx->downstream->ssl,
BUFFEREVENT_SSL_ACCEPTING, BEV_OPT_DEFER_CALLBACKS | BEV_OPT_THREADSAFE);
bufferevent_openssl_set_allow_dirty_shutdown(ctx->bev_down, 1);
bufferevent_setcb(ctx->bev_down, NULL, NULL, ssl_client_connected_eventcb, p);
bufferevent_enable(ctx->bev_down, EV_READ | EV_WRITE); //waiting for connect event only
@@ -2294,4 +2294,4 @@ int ssl_stream_get_string_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT o
return -1;
}
return 0;
}
}