gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

增加session ticket的开关。

Browse Source
This commit is contained in:
zhengchao
2018-10-08 10:55:03 +08:00
parent 7ac76efac2
commit d63dfaa4d4
1 changed files with 58 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
platform/src/ssl_stream.cpp
View File

@@ -68,6 +68,8 @@ enum ssl_stream_stat
SSL_DOWN_CACHE_HIT,
SSL_DOWN_TICKET_NEW,
SSL_DOWN_TICKET_REUSE,
SSL_DOWN_TICKET_NOTFOUND,
SSL_DOWN_TIKCET_QUERY,
SSL_NO_CHELLO,
SSL_NO_SNI,
@@ -90,7 +92,8 @@ struct ssl_mgr
unsigned int no_tls10;
unsigned int no_tls11;
unsigned int no_tls12;
unsigned int no_sessticket;
CONST_SSL_METHOD * (* sslmethod)(void); //Parameter of SSL_CTX_new
int ssl_min_version, ssl_max_version;
char ssl_session_context[8];
@@ -104,14 +107,14 @@ struct ssl_mgr
struct session_ticket_key ticket_key;
char default_ciphers[TFE_STRING_MAX];
char default_ciphers[TFE_SYMBOL_MAX];
DH * dh;
char * ecdhcurve;
char * crl_url;
uint8_t ssl_mode_release_buffers;
char trust_CA_file[TFE_STRING_MAX];
char trust_CA_dir[TFE_STRING_MAX];
char trust_CA_file[TFE_PATH_MAX];
char trust_CA_dir[TFE_PATH_MAX];
X509_STORE * trust_CA_store;
struct key_keeper * key_keeper;
struct event_base * ev_base_gc;
@@ -201,7 +204,7 @@ struct fs_spec
void ssl_stat_init(struct ssl_mgr * mgr)
{
int i=0;
const char* spec[SSL_STAT_MAX];
const char* spec[SSL_STAT_MAX]={0};
spec[SSL_UP_NEW]="ussl_new";
spec[SSL_UP_ERR]="ussl_err";
spec[SSL_UP_CLOSING]="ussl_clsing";
@@ -219,16 +222,24 @@ void ssl_stat_init(struct ssl_mgr * mgr)
spec[SSL_DOWN_CACHE_SZ]="dsess_cache";
spec[SSL_DOWN_CACHE_QUERY]="dcache_query";
spec[SSL_DOWN_CACHE_HIT]="dsess_hitcnt";
spec[SSL_DOWN_TICKET_NEW]="dtkt_new";
spec[SSL_DOWN_TICKET_REUSE]="dtkt_reuse";
if(!mgr->no_sessticket)
{
spec[SSL_DOWN_TICKET_NEW]="dtkt_new";
spec[SSL_DOWN_TICKET_REUSE]="dtkt_reuse";
spec[SSL_DOWN_TICKET_NOTFOUND]="dtkt_notfnd";
spec[SSL_DOWN_TIKCET_QUERY]="dtkt_query";
}
spec[SSL_NO_CHELLO]="ssl_no_chlo";
spec[SSL_NO_SNI]="ssl_no_sni";
spec[SSL_FAKE_CRT]="ssl_fk_crt";
for(i=0;i<SSL_STAT_MAX;i++)
{
mgr->fs_id[i]=FS_register(mgr->fs_handle, FS_STYLE_STATUS, FS_CALC_CURRENT,spec[i]);
if(spec[i]!=NULL)
{
mgr->fs_id[i]=FS_register(mgr->fs_handle, FS_STYLE_STATUS, FS_CALC_CURRENT,spec[i]);
}
}
int value=mgr->fs_id[SSL_UP_CACHE_HIT];
@@ -254,7 +265,23 @@ void ssl_stat_init(struct ssl_mgr * mgr)
1,
FS_STYLE_STATUS,
FS_CALC_CURRENT,
"dsess_hit");
"dsess_hit");
if(!mgr->no_sessticket)
{
value=mgr->fs_id[SSL_DOWN_TIKCET_QUERY];
FS_set_para(mgr->fs_handle, ID_INVISBLE, &value, sizeof(value));
value=mgr->fs_id[SSL_DOWN_TICKET_REUSE];
FS_set_para(mgr->fs_handle, ID_INVISBLE, &value, sizeof(value));
FS_register_ratio(mgr->fs_handle,
mgr->fs_id[SSL_DOWN_TICKET_REUSE],
mgr->fs_id[SSL_DOWN_TIKCET_QUERY],
1,
FS_STYLE_STATUS,
FS_CALC_CURRENT,
"dtkt_hit");
}
return;
}
static SSL * downstream_ssl_create(struct ssl_mgr * mgr, struct keyring * crt);
@@ -451,6 +478,7 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
MESA_load_profile_uint_def(ini_profile, section, "no_tls12", &(mgr->no_tls12), 0);
MESA_load_profile_string_def(ini_profile, section, "default_ciphers", mgr->default_ciphers,
sizeof(mgr->default_ciphers), DFLT_CIPHERS);
MESA_load_profile_uint_def(ini_profile, section, "no_session_ticket", &(mgr->no_sessticket), 0);
@@ -959,20 +987,22 @@ static int ossl_session_ticket_key_callback(SSL *ssl_conn,
unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx,
HMAC_CTX *hctx, int enc)
{
const EVP_MD *digest=NULL;
const EVP_CIPHER *cipher=NULL;
size_t size=0;
struct ssl_mgr * mgr = (struct ssl_mgr *) SSL_get_ex_data(ssl_conn, SSL_EX_DATA_IDX_SSLMGR);
struct session_ticket_key* key=&(mgr->ticket_key);
assert(mgr!=NULL);
digest = EVP_sha256();
unsigned char buf[32];
const EVP_MD *digest=EVP_sha256();
const EVP_CIPHER *cipher=EVP_aes_256_cbc();
size_t size=32;
struct ssl_mgr * mgr = (struct ssl_mgr *) SSL_get_ex_data(ssl_conn, SSL_EX_DATA_IDX_SSLMGR);
assert(mgr!=NULL);
struct session_ticket_key* key=&(mgr->ticket_key);
unsigned char buf[33]={0};
ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_TIKCET_QUERY]));
if (enc == 1)
{
/* encrypt session ticket */
cipher = EVP_aes_256_cbc();
size = 32;
if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) != 1)
{
@@ -1003,11 +1033,10 @@ static int ossl_session_ticket_key_callback(SSL *ssl_conn,
{
TFE_LOG_INFO(mgr->logger, "ssl session ticket decrypt, key: \"%*s\" not found"
,tfe_hexdump(buf, name ,16)-buf, buf);
ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_TICKET_NOTFOUND]));
return 0;
}
cipher = EVP_aes_256_cbc();
size = 32;
if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1)
@@ -1134,6 +1163,10 @@ static void sslctx_set_opts(SSL_CTX * sslctx, struct ssl_mgr * mgr)
{
SSL_CTX_set_options(sslctx, SSL_OP_NO_TLSv1_2);
}
if(mgr->no_sessticket)
{
SSL_CTX_set_options(sslctx, SSL_OP_NO_TICKET);
}
if (!mgr->sslcomp)
{
SSL_CTX_set_options(sslctx, SSL_OP_NO_COMPRESSION);
@@ -1170,8 +1203,10 @@ static SSL * downstream_ssl_create(struct ssl_mgr * mgr, struct keyring * crt)
SSL_CTX_sess_set_new_cb(sslctx, ossl_sessnew_cb);
SSL_CTX_sess_set_remove_cb(sslctx, ossl_sessremove_cb);
SSL_CTX_sess_set_get_cb(sslctx, ossl_sessget_cb);
ret=SSL_CTX_set_tlsext_ticket_key_cb(sslctx, ossl_session_ticket_key_callback);
assert(ret!=0);
if(!mgr->no_sessticket)
{
SSL_CTX_set_tlsext_ticket_key_cb(sslctx, ossl_session_ticket_key_callback);
}
SSL_CTX_set_session_cache_mode(sslctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_INTERNAL);
SSL_CTX_set_session_id_context(sslctx, (const unsigned char *) mgr->ssl_session_context,
sizeof(mgr->ssl_session_context));