gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

#64 在tfe.conf中增加check_cert_crl开关,默认关闭CRL校验。

Browse Source
This commit is contained in:
zhengchao
2018-11-12 13:58:01 +08:00
parent 865a4066fc
commit ca650d12ff
3 changed files with 27 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
platform/src/ssl_trusted_cert_storage.cpp
View File

@@ -26,6 +26,7 @@ static void free_ssl_x509_obj(void* data)
}
struct ssl_trusted_cert_storage
{
struct cert_store_param param;
char* pem_bundle, *pem_dir;
MESA_htable_handle hash_table;
pthread_rwlock_t rwlock;
@@ -92,7 +93,7 @@ struct ssl_trusted_cert_storage
return 1;
}
static X509_STORE* _X509_store_create(const char* pem_bundle, const char* pem_dir)
static X509_STORE* _X509_store_create(const char* pem_bundle, const char* pem_dir, struct cert_store_param* param)
{
int ret=0, n=0, i=0;
@@ -113,12 +114,15 @@ static X509_STORE* _X509_store_create(const char* pem_bundle, const char* pem_di
{
return NULL;
}
X509_VERIFY_PARAM *param=NULL;
param = X509_VERIFY_PARAM_new();
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
X509_STORE_set1_param(store, param);
X509_VERIFY_PARAM_free(param);
X509_VERIFY_PARAM *x509_param=NULL;
if(param->check_crl)
{
x509_param = X509_VERIFY_PARAM_new();
X509_VERIFY_PARAM_set_flags(x509_param, X509_V_FLAG_CRL_CHECK);
X509_STORE_set1_param(store, x509_param);
X509_VERIFY_PARAM_free(x509_param);
}
struct dirent **namelist = NULL;
n=tfe_scandir(pem_dir, &namelist, NULL, (int (*)(const void*, const void*))alphasort);
if(n < 0)
@@ -165,11 +169,13 @@ static MESA_htable_handle _create_mesa_htable(void)
ret = MESA_htable_mature(htable);
return htable;
}
struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem_bundle, const char* pem_dir)
struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem_bundle,
const char* pem_dir, struct cert_store_param* param)
{
int ret=0;
struct ssl_trusted_cert_storage* storage=ALLOC(struct ssl_trusted_cert_storage, 1);
storage->effective_store=_X509_store_create(pem_bundle, pem_dir);
storage->param=*param;
storage->effective_store=_X509_store_create(pem_bundle, pem_dir, &(storage->param));
if (storage->effective_store == NULL)
{
return NULL;
@@ -242,7 +248,7 @@ int ssl_trusted_cert_storage_del(struct ssl_trusted_cert_storage* storage, enum
ret=-1;
goto error_out;
}
temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir);
temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir, &(storage->param));
MESA_htable_iterate(storage->hash_table, cert_storage_htable_traverse_cb, temp_store);
X509_STORE_free(storage->effective_store);
storage->effective_store=temp_store;
@@ -259,7 +265,7 @@ void ssl_trusted_cert_storage_reset(struct ssl_trusted_cert_storage* storage)
MESA_htable_destroy(storage->hash_table, NULL);
storage->hash_table=_create_mesa_htable();
temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir);
temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir, &(storage->param));
pthread_rwlock_wrlock(&(storage->rwlock));
X509_STORE_free(storage->effective_store);