ssl stream修复upstream session cache key生成错误的bug。
This commit is contained in:
zhengchao
@@ -13,23 +13,30 @@
|
||||
#define KEYRING_EXSITED 0
|
||||
#define KEYRING_NOT_EXSITED -1
|
||||
|
||||
enum key_keeper_mode{
|
||||
KK_MODE_NORMAL = 0,
|
||||
KK_MODE_DEBUG,
|
||||
};
|
||||
|
||||
struct key_keeper
|
||||
{
|
||||
char mode[TFE_STRING_MAX];
|
||||
char ca_path[TFE_STRING_MAX];
|
||||
char untrusted_ca_path[TFE_STRING_MAX];
|
||||
char cert_store_host[TFE_STRING_MAX];
|
||||
enum key_keeper_mode work_mode;
|
||||
char trusted_ca_path[TFE_PATH_MAX];
|
||||
char untrusted_ca_path[TFE_PATH_MAX];
|
||||
char cert_store_host[TFE_SYMBOL_MAX];
|
||||
unsigned int cert_store_port;
|
||||
unsigned int hash_slot_size;
|
||||
unsigned int hash_expire_seconds;
|
||||
MESA_htable_handle htable;
|
||||
void* logger;
|
||||
X509* trusted_ca_cert;
|
||||
EVP_PKEY* trusted_ca_key;
|
||||
|
||||
X509* untrusted_ca_cert;
|
||||
EVP_PKEY* untrusted_ca_key;
|
||||
};
|
||||
|
||||
enum KEY_KEEPER_MODE{
|
||||
NORMAL = 0,
|
||||
DEBUG,
|
||||
};
|
||||
|
||||
|
||||
struct keyring_private
|
||||
{
|
||||
@@ -361,10 +368,9 @@ static long keyring_local_cache_query_cb(void * data, const uchar * key, uint si
|
||||
}
|
||||
|
||||
|
||||
static struct keyring_private* generate_x509_keyring(X509* origin_cert, int keyring_id, const char* filename)
|
||||
static struct keyring_private* generate_x509_keyring(X509* origin_cert, X509* ca, EVP_PKEY* cakey)
|
||||
{
|
||||
X509* ca = ssl_x509_load(filename);
|
||||
EVP_PKEY* cakey = ssl_key_load(filename);
|
||||
//TODO: could be optimized to save cpu.
|
||||
EVP_PKEY* forge_key = ssl_key_genrsa(1024);
|
||||
X509* forge_cert = ssl_x509_forge(ca, cakey, origin_cert, forge_key, NULL, NULL);
|
||||
STACK_OF(X509)* chain = sk_X509_new_null();
|
||||
@@ -376,8 +382,7 @@ static struct keyring_private* generate_x509_keyring(X509* origin_cert, int keyr
|
||||
keyring_set_key(_kyr, forge_key);
|
||||
keyring_set_cert(_kyr, forge_cert);
|
||||
keyring_set_chain(_kyr, chain);
|
||||
X509_free(ca);
|
||||
EVP_PKEY_free(cakey);
|
||||
|
||||
X509_free(forge_cert);
|
||||
EVP_PKEY_free(forge_key);
|
||||
sk_X509_pop_free(chain, X509_free);
|
||||
@@ -481,29 +486,71 @@ static MESA_htable_handle create_hash_table(unsigned int slot_size, unsigned int
|
||||
return htable;
|
||||
}
|
||||
|
||||
void key_keeper_destroy(struct key_keeper *keeper)
|
||||
{
|
||||
MESA_htable_destroy(keeper->htable, NULL);
|
||||
X509_free(keeper->trusted_ca_cert);
|
||||
EVP_PKEY_free(keeper->trusted_ca_key);
|
||||
|
||||
X509_free(keeper->untrusted_ca_cert);
|
||||
EVP_PKEY_free(keeper->untrusted_ca_key);
|
||||
|
||||
free(keeper);
|
||||
keeper = NULL;
|
||||
return;
|
||||
}
|
||||
|
||||
struct key_keeper* key_keeper_init(const char * profile, const char* section, void* logger)
|
||||
{
|
||||
struct key_keeper* keeper = ALLOC(struct key_keeper, 1);
|
||||
keeper->logger = logger;
|
||||
MESA_load_profile_string_def(profile, section, "mode", keeper->mode, sizeof(keeper->mode), "debug");
|
||||
MESA_load_profile_string_def(profile, section, "ca_path", keeper->ca_path, sizeof(keeper->ca_path), "./conf/mesalab-ca.pem");
|
||||
MESA_load_profile_string_def(profile, section, "untrusted_ca_path", keeper->untrusted_ca_path, sizeof(keeper->untrusted_ca_path), "./conf/mesalab-ca.pem");
|
||||
char tmp[TFE_STRING_MAX]={0};
|
||||
MESA_load_profile_string_def(profile, section, "mode", tmp, sizeof(tmp), "debug");
|
||||
if(strncmp(tmp, "debug", TFE_STRING_MAX) == 0)
|
||||
{
|
||||
keeper->work_mode = KK_MODE_DEBUG;
|
||||
}
|
||||
else
|
||||
{
|
||||
keeper->work_mode = KK_MODE_NORMAL;
|
||||
}
|
||||
MESA_load_profile_string_def(profile, section, "ca_path", keeper->trusted_ca_path, sizeof(keeper->trusted_ca_path), "./conf/mesalab-ca.pem");
|
||||
MESA_load_profile_string_def(profile, section, "untrusted_ca_path", keeper->untrusted_ca_path, sizeof(keeper->untrusted_ca_path), "./conf/mesalab-ca-untrust.pem");
|
||||
MESA_load_profile_string_def(profile, section, "cert_store_host", keeper->cert_store_host, sizeof(keeper->cert_store_host), "xxxxx");
|
||||
MESA_load_profile_uint_def(profile, section, "cert_store_port", &(keeper->cert_store_port), 80);
|
||||
MESA_load_profile_uint_def(profile, section, "hash_slot_size", &(keeper->hash_slot_size), 1024*128);
|
||||
MESA_load_profile_uint_def(profile, section, "hash_expire_seconds", &(keeper->hash_expire_seconds), 5*60);
|
||||
keeper->htable = create_hash_table(keeper->hash_slot_size, keeper->hash_expire_seconds);
|
||||
if(0==strcmp(keeper->untrusted_ca_path, keeper->trusted_ca_path))
|
||||
{
|
||||
TFE_LOG_ERROR(logger, "Warnning: Trusted and Untrusted Root CA share the same path % .", keeper->trusted_ca_path);
|
||||
}
|
||||
if(keeper->work_mode==KK_MODE_DEBUG)
|
||||
{
|
||||
keeper->trusted_ca_cert=ssl_x509_load(keeper->trusted_ca_path);
|
||||
keeper->trusted_ca_key=ssl_key_load(keeper->trusted_ca_path);
|
||||
if(keeper->trusted_ca_cert==NULL||keeper->trusted_ca_key==NULL)
|
||||
{
|
||||
TFE_LOG_ERROR(logger, "Load Trusted Root CA %s failed.", keeper->trusted_ca_path);
|
||||
goto error_out;
|
||||
}
|
||||
keeper->untrusted_ca_cert=ssl_x509_load(keeper->untrusted_ca_path);
|
||||
keeper->untrusted_ca_key=ssl_key_load(keeper->untrusted_ca_path);
|
||||
if(keeper->untrusted_ca_cert==NULL||keeper->trusted_ca_key==NULL)
|
||||
{
|
||||
TFE_LOG_ERROR(logger, "Load Untrusted Root CA %s failed.", keeper->untrusted_ca_path);
|
||||
goto error_out;
|
||||
}
|
||||
}
|
||||
TFE_LOG_INFO(logger, "MESA_load_profile, [%s]: mode:%s, ca_path:%s, untrusted_ca_path:%s, cert_store_host:%s, cert_store_port:%d, hash_slot_size:%d, hash_expire_seconds:%d",
|
||||
section, keeper->mode, keeper->ca_path, keeper->untrusted_ca_path, keeper->cert_store_host, keeper->cert_store_port, keeper->hash_slot_size, keeper->hash_expire_seconds);
|
||||
section, tmp, keeper->trusted_ca_path, keeper->untrusted_ca_path, keeper->cert_store_host, keeper->cert_store_port, keeper->hash_slot_size, keeper->hash_expire_seconds);
|
||||
|
||||
return keeper;
|
||||
}
|
||||
|
||||
void key_keeper_destroy(struct key_keeper *keeper)
|
||||
{
|
||||
MESA_htable_destroy(keeper->htable, NULL);
|
||||
free(keeper);
|
||||
keeper = NULL;
|
||||
return;
|
||||
|
||||
error_out:
|
||||
key_keeper_destroy(keeper);
|
||||
return NULL;
|
||||
|
||||
}
|
||||
|
||||
struct keyring* key_keeper_release_keyring(future_result_t* result)
|
||||
@@ -573,13 +620,9 @@ void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const c
|
||||
//printf("KEYRING_EXSITED\n");
|
||||
return;
|
||||
}
|
||||
int mode = 0;
|
||||
if(strncmp(keeper->mode, "debug", TFE_STRING_MAX) == 0)
|
||||
switch(keeper->work_mode)
|
||||
{
|
||||
mode = 1;
|
||||
}
|
||||
switch(mode){
|
||||
case NORMAL:
|
||||
case KK_MODE_NORMAL:
|
||||
{
|
||||
char* origin_cert_pem = transform_cert_to_pem(origin_cert);
|
||||
if(origin_cert_pem == NULL)
|
||||
@@ -614,18 +657,17 @@ void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const c
|
||||
free(url);
|
||||
break;
|
||||
}
|
||||
case DEBUG:
|
||||
case KK_MODE_DEBUG:
|
||||
{
|
||||
char* filename = NULL;
|
||||
struct keyring_private* kyr=NULL;
|
||||
if(is_cert_valid == 1)
|
||||
{
|
||||
filename = keeper->ca_path;
|
||||
kyr=generate_x509_keyring(origin_cert, keeper->trusted_ca_cert, keeper->trusted_ca_key);
|
||||
}
|
||||
else
|
||||
{
|
||||
filename = keeper->untrusted_ca_path;
|
||||
kyr=generate_x509_keyring(origin_cert, keeper->untrusted_ca_cert, keeper->untrusted_ca_key);
|
||||
}
|
||||
struct keyring_private* kyr = generate_x509_keyring(origin_cert, keyring_id, filename);
|
||||
if(kyr)
|
||||
{
|
||||
keyring_ref_inc(kyr);
|
||||
|
||||
Reference in New Issue
Block a user