gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

#64 在tfe.conf中增加check_cert_crl开关,默认关闭CRL校验。

Browse Source
This commit is contained in:
zhengchao
2018-11-12 13:58:01 +08:00
parent 865a4066fc
commit ca650d12ff
3 changed files with 27 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
platform/include/internal/ssl_trusted_cert_storage.h
View File

@@ -6,9 +6,12 @@ enum ssl_X509_obj_type
SSL_X509_OBJ_CERT, SSL_X509_OBJ_CERT,
SSL_X509_OBJ_CRL SSL_X509_OBJ_CRL
}; };
struct cert_store_param
{
unsigned int check_crl;
};
struct ssl_trusted_cert_storage; struct ssl_trusted_cert_storage;
struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem_bundle, const char* pem_dir); struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem_bundle, const char* pem_dir, struct cert_store_param* param);
void ssl_trusted_cert_storage_destroy(struct ssl_trusted_cert_storage* storage); void ssl_trusted_cert_storage_destroy(struct ssl_trusted_cert_storage* storage);
int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storage, const SSL * ssl, char* reason, size_t n_reason); int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storage, const SSL * ssl, char* reason, size_t n_reason);

7
platform/src/ssl_stream.cpp
View File

@@ -130,11 +130,12 @@ struct ssl_mgr
char * ecdhcurve; char * ecdhcurve;
char * crl_url; char * crl_url;
struct cert_store_param cert_verify_param;
uint8_t ssl_mode_release_buffers; uint8_t ssl_mode_release_buffers;
char trusted_cert_file[TFE_PATH_MAX]; char trusted_cert_file[TFE_PATH_MAX];
char trusted_cert_dir[TFE_PATH_MAX]; char trusted_cert_dir[TFE_PATH_MAX];
char crl_file[TFE_PATH_MAX];
struct ssl_trusted_cert_storage * trust_CA_store; struct ssl_trusted_cert_storage * trust_CA_store;
struct key_keeper * key_keeper; struct key_keeper * key_keeper;
@@ -570,7 +571,9 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
MESA_load_profile_string_def(ini_profile, section, "trusted_cert_dir", mgr->trusted_cert_dir, sizeof(mgr->trusted_cert_dir), MESA_load_profile_string_def(ini_profile, section, "trusted_cert_dir", mgr->trusted_cert_dir, sizeof(mgr->trusted_cert_dir),
"./conf/trusted_storage"); "./conf/trusted_storage");
mgr->trust_CA_store = ssl_trusted_cert_storage_create(mgr->trusted_cert_file, mgr->trusted_cert_dir); MESA_load_profile_uint_def(ini_profile, section, "check_cert_crl", &(mgr->cert_verify_param.check_crl), 0);
mgr->trust_CA_store = ssl_trusted_cert_storage_create(mgr->trusted_cert_file, mgr->trusted_cert_dir, &(mgr->cert_verify_param));
if (mgr->trust_CA_store == NULL) if (mgr->trust_CA_store == NULL)
{ {
TFE_LOG_ERROR(logger, "Failed at creating X509_STORE"); TFE_LOG_ERROR(logger, "Failed at creating X509_STORE");

28
platform/src/ssl_trusted_cert_storage.cpp
View File

@@ -26,6 +26,7 @@ static void free_ssl_x509_obj(void* data)
} }
struct ssl_trusted_cert_storage struct ssl_trusted_cert_storage
{ {
struct cert_store_param param;
char* pem_bundle, *pem_dir; char* pem_bundle, *pem_dir;
MESA_htable_handle hash_table; MESA_htable_handle hash_table;
pthread_rwlock_t rwlock; pthread_rwlock_t rwlock;
@@ -92,7 +93,7 @@ struct ssl_trusted_cert_storage
return 1; return 1;
} }
static X509_STORE* _X509_store_create(const char* pem_bundle, const char* pem_dir) static X509_STORE* _X509_store_create(const char* pem_bundle, const char* pem_dir, struct cert_store_param* param)
{ {
int ret=0, n=0, i=0; int ret=0, n=0, i=0;
@@ -113,12 +114,15 @@ static X509_STORE* _X509_store_create(const char* pem_bundle, const char* pem_di
{ {
return NULL; return NULL;
} }
X509_VERIFY_PARAM *param=NULL;
param = X509_VERIFY_PARAM_new(); X509_VERIFY_PARAM *x509_param=NULL;
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); if(param->check_crl)
X509_STORE_set1_param(store, param); {
X509_VERIFY_PARAM_free(param); x509_param = X509_VERIFY_PARAM_new();
X509_VERIFY_PARAM_set_flags(x509_param, X509_V_FLAG_CRL_CHECK);
X509_STORE_set1_param(store, x509_param);
X509_VERIFY_PARAM_free(x509_param);
}
struct dirent **namelist = NULL; struct dirent **namelist = NULL;
n=tfe_scandir(pem_dir, &namelist, NULL, (int (*)(const void*, const void*))alphasort); n=tfe_scandir(pem_dir, &namelist, NULL, (int (*)(const void*, const void*))alphasort);
if(n < 0) if(n < 0)
@@ -165,11 +169,13 @@ static MESA_htable_handle _create_mesa_htable(void)
ret = MESA_htable_mature(htable); ret = MESA_htable_mature(htable);
return htable; return htable;
} }
struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem_bundle, const char* pem_dir) struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem_bundle,
const char* pem_dir, struct cert_store_param* param)
{ {
int ret=0; int ret=0;
struct ssl_trusted_cert_storage* storage=ALLOC(struct ssl_trusted_cert_storage, 1); struct ssl_trusted_cert_storage* storage=ALLOC(struct ssl_trusted_cert_storage, 1);
storage->effective_store=_X509_store_create(pem_bundle, pem_dir); storage->param=*param;
storage->effective_store=_X509_store_create(pem_bundle, pem_dir, &(storage->param));
if (storage->effective_store == NULL) if (storage->effective_store == NULL)
{ {
return NULL; return NULL;
@@ -242,7 +248,7 @@ int ssl_trusted_cert_storage_del(struct ssl_trusted_cert_storage* storage, enum
ret=-1; ret=-1;
goto error_out; goto error_out;
} }
temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir); temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir, &(storage->param));
MESA_htable_iterate(storage->hash_table, cert_storage_htable_traverse_cb, temp_store); MESA_htable_iterate(storage->hash_table, cert_storage_htable_traverse_cb, temp_store);
X509_STORE_free(storage->effective_store); X509_STORE_free(storage->effective_store);
storage->effective_store=temp_store; storage->effective_store=temp_store;
@@ -259,7 +265,7 @@ void ssl_trusted_cert_storage_reset(struct ssl_trusted_cert_storage* storage)
MESA_htable_destroy(storage->hash_table, NULL); MESA_htable_destroy(storage->hash_table, NULL);
storage->hash_table=_create_mesa_htable(); storage->hash_table=_create_mesa_htable();
temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir); temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir, &(storage->param));
pthread_rwlock_wrlock(&(storage->rwlock)); pthread_rwlock_wrlock(&(storage->rwlock));
X509_STORE_free(storage->effective_store); X509_STORE_free(storage->effective_store);