gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

bugfix: TSG-8003 预防证书链投毒

Browse Source 
* 中间证书缓存openssl rebuild trust chain中可惜的中间证书, 不缓存服务端发送证书链中的证书
This commit is contained in:
luwenpeng
2021-11-02 22:27:56 +08:00
parent f84e993217
commit cb15d3340f
6 changed files with 82 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
platform/src/ssl_trusted_cert_storage.cpp
View File

@@ -1,6 +1,7 @@
#include "ssl_trusted_cert_storage.h"
#include "ssl_fetch_cert.h"
#include "ssl_stream.h"
#include "MESA_htable_aux.h"
#include <MESA/MESA_htable.h>
@@ -473,23 +474,36 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag
ret=1;
}
TFE_LOG_DEBUG(g_default_logger,
"sni:%s, cet_real_untrust:%d, verify_host_fail:%d, verify_issure_fail:%d, verify_self_signed_fail:%d, verify_expiry_date_fail:%d, verify_other_fail:%d",
(hostname ? hostname : "NULL"),
((param->real_untrust & 0xff) ? 1 : 0),
((param->real_untrust & 0x01) ? 1 : 0),
((param->real_untrust & 0x02) ? 1 : 0),
((param->real_untrust & 0x04) ? 1 : 0),
((param->real_untrust & 0x08) ? 1 : 0),
((param->real_untrust & 0x10) ? 1 : 0));
if (is_ssl_debug())
{
TFE_LOG_DEBUG(g_default_logger,
"sni:%s, cet_real_untrust:%d, verify_host_fail:%d, verify_issure_fail:%d, verify_self_signed_fail:%d, verify_expiry_date_fail:%d, verify_other_fail:%d",
(hostname ? hostname : "NULL"),
((param->real_untrust & 0xff) ? 1 : 0),
((param->real_untrust & 0x01) ? 1 : 0),
((param->real_untrust & 0x02) ? 1 : 0),
((param->real_untrust & 0x04) ? 1 : 0),
((param->real_untrust & 0x08) ? 1 : 0),
((param->real_untrust & 0x10) ? 1 : 0));
ssl_chain_dump(hostname, "server_chain", cert_chain);
}
// case cert verify success
if (param->real_untrust == 0) {
ssl_fetch_trusted_cert_from_chain(cert_chain, storage->effective_store, hostname);
if (param->real_untrust == 0)
{
STACK_OF(X509) *trust_chain = X509_STORE_CTX_get1_chain(ctx);
if (trust_chain)
{
if (is_ssl_debug())
{
ssl_chain_dump(hostname, "trust_chain", trust_chain);
}
ssl_fetch_trusted_cert_from_chain(trust_chain, storage->effective_store, hostname);
sk_X509_pop_free(trust_chain, X509_free);
}
}
X509_STORE_CTX_free(ctx);
pthread_rwlock_unlock(&(storage->rwlock));
return ret;
}
}