diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp index f0440ec..8198bcd 100644 --- a/platform/src/ssl_stream.cpp +++ b/platform/src/ssl_stream.cpp @@ -68,6 +68,8 @@ enum ssl_stream_stat SSL_DOWN_CACHE_HIT, SSL_DOWN_TICKET_NEW, SSL_DOWN_TICKET_REUSE, + SSL_DOWN_TICKET_NOTFOUND, + SSL_DOWN_TIKCET_QUERY, SSL_NO_CHELLO, SSL_NO_SNI, @@ -90,7 +92,8 @@ struct ssl_mgr unsigned int no_tls10; unsigned int no_tls11; unsigned int no_tls12; - + unsigned int no_sessticket; + CONST_SSL_METHOD * (* sslmethod)(void); //Parameter of SSL_CTX_new int ssl_min_version, ssl_max_version; char ssl_session_context[8]; @@ -104,14 +107,14 @@ struct ssl_mgr struct session_ticket_key ticket_key; - char default_ciphers[TFE_STRING_MAX]; + char default_ciphers[TFE_SYMBOL_MAX]; DH * dh; char * ecdhcurve; char * crl_url; uint8_t ssl_mode_release_buffers; - char trust_CA_file[TFE_STRING_MAX]; - char trust_CA_dir[TFE_STRING_MAX]; + char trust_CA_file[TFE_PATH_MAX]; + char trust_CA_dir[TFE_PATH_MAX]; X509_STORE * trust_CA_store; struct key_keeper * key_keeper; struct event_base * ev_base_gc; @@ -201,7 +204,7 @@ struct fs_spec void ssl_stat_init(struct ssl_mgr * mgr) { int i=0; - const char* spec[SSL_STAT_MAX]; + const char* spec[SSL_STAT_MAX]={0}; spec[SSL_UP_NEW]="ussl_new"; spec[SSL_UP_ERR]="ussl_err"; spec[SSL_UP_CLOSING]="ussl_clsing"; @@ -219,16 +222,24 @@ void ssl_stat_init(struct ssl_mgr * mgr) spec[SSL_DOWN_CACHE_SZ]="dsess_cache"; spec[SSL_DOWN_CACHE_QUERY]="dcache_query"; spec[SSL_DOWN_CACHE_HIT]="dsess_hitcnt"; - spec[SSL_DOWN_TICKET_NEW]="dtkt_new"; - spec[SSL_DOWN_TICKET_REUSE]="dtkt_reuse"; + if(!mgr->no_sessticket) + { + spec[SSL_DOWN_TICKET_NEW]="dtkt_new"; + spec[SSL_DOWN_TICKET_REUSE]="dtkt_reuse"; + spec[SSL_DOWN_TICKET_NOTFOUND]="dtkt_notfnd"; + spec[SSL_DOWN_TIKCET_QUERY]="dtkt_query"; + } spec[SSL_NO_CHELLO]="ssl_no_chlo"; spec[SSL_NO_SNI]="ssl_no_sni"; spec[SSL_FAKE_CRT]="ssl_fk_crt"; for(i=0;ifs_id[i]=FS_register(mgr->fs_handle, FS_STYLE_STATUS, FS_CALC_CURRENT,spec[i]); + if(spec[i]!=NULL) + { + mgr->fs_id[i]=FS_register(mgr->fs_handle, FS_STYLE_STATUS, FS_CALC_CURRENT,spec[i]); + } } int value=mgr->fs_id[SSL_UP_CACHE_HIT]; @@ -254,7 +265,23 @@ void ssl_stat_init(struct ssl_mgr * mgr) 1, FS_STYLE_STATUS, FS_CALC_CURRENT, - "dsess_hit"); + "dsess_hit"); + if(!mgr->no_sessticket) + { + value=mgr->fs_id[SSL_DOWN_TIKCET_QUERY]; + FS_set_para(mgr->fs_handle, ID_INVISBLE, &value, sizeof(value)); + + value=mgr->fs_id[SSL_DOWN_TICKET_REUSE]; + FS_set_para(mgr->fs_handle, ID_INVISBLE, &value, sizeof(value)); + + FS_register_ratio(mgr->fs_handle, + mgr->fs_id[SSL_DOWN_TICKET_REUSE], + mgr->fs_id[SSL_DOWN_TIKCET_QUERY], + 1, + FS_STYLE_STATUS, + FS_CALC_CURRENT, + "dtkt_hit"); + } return; } static SSL * downstream_ssl_create(struct ssl_mgr * mgr, struct keyring * crt); @@ -451,6 +478,7 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section MESA_load_profile_uint_def(ini_profile, section, "no_tls12", &(mgr->no_tls12), 0); MESA_load_profile_string_def(ini_profile, section, "default_ciphers", mgr->default_ciphers, sizeof(mgr->default_ciphers), DFLT_CIPHERS); + MESA_load_profile_uint_def(ini_profile, section, "no_session_ticket", &(mgr->no_sessticket), 0); @@ -959,20 +987,22 @@ static int ossl_session_ticket_key_callback(SSL *ssl_conn, unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc) { - const EVP_MD *digest=NULL; - const EVP_CIPHER *cipher=NULL; - size_t size=0; - struct ssl_mgr * mgr = (struct ssl_mgr *) SSL_get_ex_data(ssl_conn, SSL_EX_DATA_IDX_SSLMGR); - struct session_ticket_key* key=&(mgr->ticket_key); - assert(mgr!=NULL); - digest = EVP_sha256(); - unsigned char buf[32]; + const EVP_MD *digest=EVP_sha256(); + const EVP_CIPHER *cipher=EVP_aes_256_cbc(); + size_t size=32; + struct ssl_mgr * mgr = (struct ssl_mgr *) SSL_get_ex_data(ssl_conn, SSL_EX_DATA_IDX_SSLMGR); + assert(mgr!=NULL); + + struct session_ticket_key* key=&(mgr->ticket_key); + + unsigned char buf[33]={0}; + + ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_TIKCET_QUERY])); if (enc == 1) { /* encrypt session ticket */ - cipher = EVP_aes_256_cbc(); - size = 32; + if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) != 1) { @@ -1003,11 +1033,10 @@ static int ossl_session_ticket_key_callback(SSL *ssl_conn, { TFE_LOG_INFO(mgr->logger, "ssl session ticket decrypt, key: \"%*s\" not found" ,tfe_hexdump(buf, name ,16)-buf, buf); + ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_TICKET_NOTFOUND])); return 0; } - cipher = EVP_aes_256_cbc(); - size = 32; if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) @@ -1134,6 +1163,10 @@ static void sslctx_set_opts(SSL_CTX * sslctx, struct ssl_mgr * mgr) { SSL_CTX_set_options(sslctx, SSL_OP_NO_TLSv1_2); } + if(mgr->no_sessticket) + { + SSL_CTX_set_options(sslctx, SSL_OP_NO_TICKET); + } if (!mgr->sslcomp) { SSL_CTX_set_options(sslctx, SSL_OP_NO_COMPRESSION); @@ -1170,8 +1203,10 @@ static SSL * downstream_ssl_create(struct ssl_mgr * mgr, struct keyring * crt) SSL_CTX_sess_set_new_cb(sslctx, ossl_sessnew_cb); SSL_CTX_sess_set_remove_cb(sslctx, ossl_sessremove_cb); SSL_CTX_sess_set_get_cb(sslctx, ossl_sessget_cb); - ret=SSL_CTX_set_tlsext_ticket_key_cb(sslctx, ossl_session_ticket_key_callback); - assert(ret!=0); + if(!mgr->no_sessticket) + { + SSL_CTX_set_tlsext_ticket_key_cb(sslctx, ossl_session_ticket_key_callback); + } SSL_CTX_set_session_cache_mode(sslctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_INTERNAL); SSL_CTX_set_session_id_context(sslctx, (const unsigned char *) mgr->ssl_session_context, sizeof(mgr->ssl_session_context));