gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

增加session ticket的开关。

Browse Source
This commit is contained in:
zhengchao
2018-10-08 10:55:03 +08:00
parent 7ac76efac2
commit d63dfaa4d4
1 changed files with 58 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
platform/src/ssl_stream.cpp
View File

@@ -68,6 +68,8 @@ enum ssl_stream_stat
SSL_DOWN_CACHE_HIT, SSL_DOWN_CACHE_HIT,
SSL_DOWN_TICKET_NEW, SSL_DOWN_TICKET_NEW,
SSL_DOWN_TICKET_REUSE, SSL_DOWN_TICKET_REUSE,
SSL_DOWN_TICKET_NOTFOUND,
SSL_DOWN_TIKCET_QUERY,
SSL_NO_CHELLO, SSL_NO_CHELLO,
SSL_NO_SNI, SSL_NO_SNI,
@@ -90,6 +92,7 @@ struct ssl_mgr
unsigned int no_tls10; unsigned int no_tls10;
unsigned int no_tls11; unsigned int no_tls11;
unsigned int no_tls12; unsigned int no_tls12;
unsigned int no_sessticket;
CONST_SSL_METHOD * (* sslmethod)(void); //Parameter of SSL_CTX_new CONST_SSL_METHOD * (* sslmethod)(void); //Parameter of SSL_CTX_new
int ssl_min_version, ssl_max_version; int ssl_min_version, ssl_max_version;
@@ -104,14 +107,14 @@ struct ssl_mgr
struct session_ticket_key ticket_key; struct session_ticket_key ticket_key;
char default_ciphers[TFE_STRING_MAX]; char default_ciphers[TFE_SYMBOL_MAX];
DH * dh; DH * dh;
char * ecdhcurve; char * ecdhcurve;
char * crl_url; char * crl_url;
uint8_t ssl_mode_release_buffers; uint8_t ssl_mode_release_buffers;
char trust_CA_file[TFE_STRING_MAX]; char trust_CA_file[TFE_PATH_MAX];
char trust_CA_dir[TFE_STRING_MAX]; char trust_CA_dir[TFE_PATH_MAX];
X509_STORE * trust_CA_store; X509_STORE * trust_CA_store;
struct key_keeper * key_keeper; struct key_keeper * key_keeper;
struct event_base * ev_base_gc; struct event_base * ev_base_gc;
@@ -201,7 +204,7 @@ struct fs_spec
void ssl_stat_init(struct ssl_mgr * mgr) void ssl_stat_init(struct ssl_mgr * mgr)
{ {
int i=0; int i=0;
const char* spec[SSL_STAT_MAX]; const char* spec[SSL_STAT_MAX]={0};
spec[SSL_UP_NEW]="ussl_new"; spec[SSL_UP_NEW]="ussl_new";
spec[SSL_UP_ERR]="ussl_err"; spec[SSL_UP_ERR]="ussl_err";
spec[SSL_UP_CLOSING]="ussl_clsing"; spec[SSL_UP_CLOSING]="ussl_clsing";
@@ -219,17 +222,25 @@ void ssl_stat_init(struct ssl_mgr * mgr)
spec[SSL_DOWN_CACHE_SZ]="dsess_cache"; spec[SSL_DOWN_CACHE_SZ]="dsess_cache";
spec[SSL_DOWN_CACHE_QUERY]="dcache_query"; spec[SSL_DOWN_CACHE_QUERY]="dcache_query";
spec[SSL_DOWN_CACHE_HIT]="dsess_hitcnt"; spec[SSL_DOWN_CACHE_HIT]="dsess_hitcnt";
if(!mgr->no_sessticket)
{
spec[SSL_DOWN_TICKET_NEW]="dtkt_new"; spec[SSL_DOWN_TICKET_NEW]="dtkt_new";
spec[SSL_DOWN_TICKET_REUSE]="dtkt_reuse"; spec[SSL_DOWN_TICKET_REUSE]="dtkt_reuse";
spec[SSL_DOWN_TICKET_NOTFOUND]="dtkt_notfnd";
spec[SSL_DOWN_TIKCET_QUERY]="dtkt_query";
}
spec[SSL_NO_CHELLO]="ssl_no_chlo"; spec[SSL_NO_CHELLO]="ssl_no_chlo";
spec[SSL_NO_SNI]="ssl_no_sni"; spec[SSL_NO_SNI]="ssl_no_sni";
spec[SSL_FAKE_CRT]="ssl_fk_crt"; spec[SSL_FAKE_CRT]="ssl_fk_crt";
for(i=0;i<SSL_STAT_MAX;i++) for(i=0;i<SSL_STAT_MAX;i++)
{
if(spec[i]!=NULL)
{ {
mgr->fs_id[i]=FS_register(mgr->fs_handle, FS_STYLE_STATUS, FS_CALC_CURRENT,spec[i]); mgr->fs_id[i]=FS_register(mgr->fs_handle, FS_STYLE_STATUS, FS_CALC_CURRENT,spec[i]);
} }
}
int value=mgr->fs_id[SSL_UP_CACHE_HIT]; int value=mgr->fs_id[SSL_UP_CACHE_HIT];
FS_set_para(mgr->fs_handle, ID_INVISBLE, &value, sizeof(value)); FS_set_para(mgr->fs_handle, ID_INVISBLE, &value, sizeof(value));
@@ -255,6 +266,22 @@ void ssl_stat_init(struct ssl_mgr * mgr)
FS_STYLE_STATUS, FS_STYLE_STATUS,
FS_CALC_CURRENT, FS_CALC_CURRENT,
"dsess_hit"); "dsess_hit");
if(!mgr->no_sessticket)
{
value=mgr->fs_id[SSL_DOWN_TIKCET_QUERY];
FS_set_para(mgr->fs_handle, ID_INVISBLE, &value, sizeof(value));
value=mgr->fs_id[SSL_DOWN_TICKET_REUSE];
FS_set_para(mgr->fs_handle, ID_INVISBLE, &value, sizeof(value));
FS_register_ratio(mgr->fs_handle,
mgr->fs_id[SSL_DOWN_TICKET_REUSE],
mgr->fs_id[SSL_DOWN_TIKCET_QUERY],
1,
FS_STYLE_STATUS,
FS_CALC_CURRENT,
"dtkt_hit");
}
return; return;
} }
static SSL * downstream_ssl_create(struct ssl_mgr * mgr, struct keyring * crt); static SSL * downstream_ssl_create(struct ssl_mgr * mgr, struct keyring * crt);
@@ -451,6 +478,7 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
MESA_load_profile_uint_def(ini_profile, section, "no_tls12", &(mgr->no_tls12), 0); MESA_load_profile_uint_def(ini_profile, section, "no_tls12", &(mgr->no_tls12), 0);
MESA_load_profile_string_def(ini_profile, section, "default_ciphers", mgr->default_ciphers, MESA_load_profile_string_def(ini_profile, section, "default_ciphers", mgr->default_ciphers,
sizeof(mgr->default_ciphers), DFLT_CIPHERS); sizeof(mgr->default_ciphers), DFLT_CIPHERS);
MESA_load_profile_uint_def(ini_profile, section, "no_session_ticket", &(mgr->no_sessticket), 0);
@@ -959,20 +987,22 @@ static int ossl_session_ticket_key_callback(SSL *ssl_conn,
unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx, unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx,
HMAC_CTX *hctx, int enc) HMAC_CTX *hctx, int enc)
{ {
const EVP_MD *digest=NULL; const EVP_MD *digest=EVP_sha256();
const EVP_CIPHER *cipher=NULL; const EVP_CIPHER *cipher=EVP_aes_256_cbc();
size_t size=0; size_t size=32;
struct ssl_mgr * mgr = (struct ssl_mgr *) SSL_get_ex_data(ssl_conn, SSL_EX_DATA_IDX_SSLMGR);
struct session_ticket_key* key=&(mgr->ticket_key);
assert(mgr!=NULL);
digest = EVP_sha256();
unsigned char buf[32];
struct ssl_mgr * mgr = (struct ssl_mgr *) SSL_get_ex_data(ssl_conn, SSL_EX_DATA_IDX_SSLMGR);
assert(mgr!=NULL);
struct session_ticket_key* key=&(mgr->ticket_key);
unsigned char buf[33]={0};
ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_TIKCET_QUERY]));
if (enc == 1) if (enc == 1)
{ {
/* encrypt session ticket */ /* encrypt session ticket */
cipher = EVP_aes_256_cbc();
size = 32;
if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) != 1) if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) != 1)
{ {
@@ -1003,11 +1033,10 @@ static int ossl_session_ticket_key_callback(SSL *ssl_conn,
{ {
TFE_LOG_INFO(mgr->logger, "ssl session ticket decrypt, key: \"%*s\" not found" TFE_LOG_INFO(mgr->logger, "ssl session ticket decrypt, key: \"%*s\" not found"
,tfe_hexdump(buf, name ,16)-buf, buf); ,tfe_hexdump(buf, name ,16)-buf, buf);
ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_TICKET_NOTFOUND]));
return 0; return 0;
} }
cipher = EVP_aes_256_cbc();
size = 32;
if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1)
@@ -1134,6 +1163,10 @@ static void sslctx_set_opts(SSL_CTX * sslctx, struct ssl_mgr * mgr)
{ {
SSL_CTX_set_options(sslctx, SSL_OP_NO_TLSv1_2); SSL_CTX_set_options(sslctx, SSL_OP_NO_TLSv1_2);
} }
if(mgr->no_sessticket)
{
SSL_CTX_set_options(sslctx, SSL_OP_NO_TICKET);
}
if (!mgr->sslcomp) if (!mgr->sslcomp)
{ {
SSL_CTX_set_options(sslctx, SSL_OP_NO_COMPRESSION); SSL_CTX_set_options(sslctx, SSL_OP_NO_COMPRESSION);
@@ -1170,8 +1203,10 @@ static SSL * downstream_ssl_create(struct ssl_mgr * mgr, struct keyring * crt)
SSL_CTX_sess_set_new_cb(sslctx, ossl_sessnew_cb); SSL_CTX_sess_set_new_cb(sslctx, ossl_sessnew_cb);
SSL_CTX_sess_set_remove_cb(sslctx, ossl_sessremove_cb); SSL_CTX_sess_set_remove_cb(sslctx, ossl_sessremove_cb);
SSL_CTX_sess_set_get_cb(sslctx, ossl_sessget_cb); SSL_CTX_sess_set_get_cb(sslctx, ossl_sessget_cb);
ret=SSL_CTX_set_tlsext_ticket_key_cb(sslctx, ossl_session_ticket_key_callback); if(!mgr->no_sessticket)
assert(ret!=0); {
SSL_CTX_set_tlsext_ticket_key_cb(sslctx, ossl_session_ticket_key_callback);
}
SSL_CTX_set_session_cache_mode(sslctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_INTERNAL); SSL_CTX_set_session_cache_mode(sslctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_INTERNAL);
SSL_CTX_set_session_id_context(sslctx, (const unsigned char *) mgr->ssl_session_context, SSL_CTX_set_session_id_context(sslctx, (const unsigned char *) mgr->ssl_session_context,
sizeof(mgr->ssl_session_context)); sizeof(mgr->ssl_session_context));