From ca650d12ffa736a1d56ca389fe8f1c78ad095feb Mon Sep 17 00:00:00 2001 From: zhengchao Date: Mon, 12 Nov 2018 13:58:01 +0800 Subject: [PATCH] =?UTF-8?q?#64=20=E5=9C=A8tfe.conf=E4=B8=AD=E5=A2=9E?= =?UTF-8?q?=E5=8A=A0check=5Fcert=5Fcrl=E5=BC=80=E5=85=B3=EF=BC=8C=E9=BB=98?= =?UTF-8?q?=E8=AE=A4=E5=85=B3=E9=97=ADCRL=E6=A0=A1=E9=AA=8C=E3=80=82?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../internal/ssl_trusted_cert_storage.h | 7 +++-- platform/src/ssl_stream.cpp | 7 +++-- platform/src/ssl_trusted_cert_storage.cpp | 28 +++++++++++-------- 3 files changed, 27 insertions(+), 15 deletions(-) diff --git a/platform/include/internal/ssl_trusted_cert_storage.h b/platform/include/internal/ssl_trusted_cert_storage.h index 8e6f4f1..9bb2986 100644 --- a/platform/include/internal/ssl_trusted_cert_storage.h +++ b/platform/include/internal/ssl_trusted_cert_storage.h @@ -6,9 +6,12 @@ enum ssl_X509_obj_type SSL_X509_OBJ_CERT, SSL_X509_OBJ_CRL }; - +struct cert_store_param +{ + unsigned int check_crl; +}; struct ssl_trusted_cert_storage; -struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem_bundle, const char* pem_dir); +struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem_bundle, const char* pem_dir, struct cert_store_param* param); void ssl_trusted_cert_storage_destroy(struct ssl_trusted_cert_storage* storage); int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storage, const SSL * ssl, char* reason, size_t n_reason); diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp index 4319b96..62e271a 100644 --- a/platform/src/ssl_stream.cpp +++ b/platform/src/ssl_stream.cpp @@ -130,11 +130,12 @@ struct ssl_mgr char * ecdhcurve; char * crl_url; + + struct cert_store_param cert_verify_param; uint8_t ssl_mode_release_buffers; char trusted_cert_file[TFE_PATH_MAX]; char trusted_cert_dir[TFE_PATH_MAX]; - char crl_file[TFE_PATH_MAX]; struct ssl_trusted_cert_storage * trust_CA_store; struct key_keeper * key_keeper; @@ -570,7 +571,9 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section MESA_load_profile_string_def(ini_profile, section, "trusted_cert_dir", mgr->trusted_cert_dir, sizeof(mgr->trusted_cert_dir), "./conf/trusted_storage"); - mgr->trust_CA_store = ssl_trusted_cert_storage_create(mgr->trusted_cert_file, mgr->trusted_cert_dir); + MESA_load_profile_uint_def(ini_profile, section, "check_cert_crl", &(mgr->cert_verify_param.check_crl), 0); + + mgr->trust_CA_store = ssl_trusted_cert_storage_create(mgr->trusted_cert_file, mgr->trusted_cert_dir, &(mgr->cert_verify_param)); if (mgr->trust_CA_store == NULL) { TFE_LOG_ERROR(logger, "Failed at creating X509_STORE"); diff --git a/platform/src/ssl_trusted_cert_storage.cpp b/platform/src/ssl_trusted_cert_storage.cpp index 6537431..569803c 100644 --- a/platform/src/ssl_trusted_cert_storage.cpp +++ b/platform/src/ssl_trusted_cert_storage.cpp @@ -26,6 +26,7 @@ static void free_ssl_x509_obj(void* data) } struct ssl_trusted_cert_storage { + struct cert_store_param param; char* pem_bundle, *pem_dir; MESA_htable_handle hash_table; pthread_rwlock_t rwlock; @@ -92,7 +93,7 @@ struct ssl_trusted_cert_storage return 1; } -static X509_STORE* _X509_store_create(const char* pem_bundle, const char* pem_dir) +static X509_STORE* _X509_store_create(const char* pem_bundle, const char* pem_dir, struct cert_store_param* param) { int ret=0, n=0, i=0; @@ -113,12 +114,15 @@ static X509_STORE* _X509_store_create(const char* pem_bundle, const char* pem_di { return NULL; } - X509_VERIFY_PARAM *param=NULL; - param = X509_VERIFY_PARAM_new(); - X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); - X509_STORE_set1_param(store, param); - X509_VERIFY_PARAM_free(param); - + + X509_VERIFY_PARAM *x509_param=NULL; + if(param->check_crl) + { + x509_param = X509_VERIFY_PARAM_new(); + X509_VERIFY_PARAM_set_flags(x509_param, X509_V_FLAG_CRL_CHECK); + X509_STORE_set1_param(store, x509_param); + X509_VERIFY_PARAM_free(x509_param); + } struct dirent **namelist = NULL; n=tfe_scandir(pem_dir, &namelist, NULL, (int (*)(const void*, const void*))alphasort); if(n < 0) @@ -165,11 +169,13 @@ static MESA_htable_handle _create_mesa_htable(void) ret = MESA_htable_mature(htable); return htable; } -struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem_bundle, const char* pem_dir) +struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem_bundle, + const char* pem_dir, struct cert_store_param* param) { int ret=0; struct ssl_trusted_cert_storage* storage=ALLOC(struct ssl_trusted_cert_storage, 1); - storage->effective_store=_X509_store_create(pem_bundle, pem_dir); + storage->param=*param; + storage->effective_store=_X509_store_create(pem_bundle, pem_dir, &(storage->param)); if (storage->effective_store == NULL) { return NULL; @@ -242,7 +248,7 @@ int ssl_trusted_cert_storage_del(struct ssl_trusted_cert_storage* storage, enum ret=-1; goto error_out; } - temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir); + temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir, &(storage->param)); MESA_htable_iterate(storage->hash_table, cert_storage_htable_traverse_cb, temp_store); X509_STORE_free(storage->effective_store); storage->effective_store=temp_store; @@ -259,7 +265,7 @@ void ssl_trusted_cert_storage_reset(struct ssl_trusted_cert_storage* storage) MESA_htable_destroy(storage->hash_table, NULL); storage->hash_table=_create_mesa_htable(); - temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir); + temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir, &(storage->param)); pthread_rwlock_wrlock(&(storage->rwlock)); X509_STORE_free(storage->effective_store);