gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

1. 可以获取x509证书的ct和ev状态。2. hostname不匹配,不认为是非法证书。

Browse Source
This commit is contained in:
zhengchao
2019-05-15 20:09:12 +08:00
parent ae678d5128
commit ea0292f1b4
7 changed files with 846 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
platform/src/ssl_trusted_cert_storage.cpp
View File

@@ -321,9 +321,9 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
return ret;
}
int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storage, SSL * ssl, const char* hostname, struct cert_verify_param* param, char* reason, size_t n_reason)
int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storage, SSL * ssl, const char* hostname, struct cert_verify_param* param, char* reason, size_t n_reason, struct cert_verify_result* result)
{
int ret = 0, err_code=0, host_matched=1;
int ret = 0, err_code=0;
char *subj=NULL, *issuer=NULL;
STACK_OF(X509) * cert_chain = SSL_get_peer_cert_chain(ssl);
if (cert_chain == NULL)
@@ -332,47 +332,52 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag
return 1;
}
X509 * cert = sk_X509_value(cert_chain, 0);
if(!param->no_verify_cn&&hostname)
{
result->is_hostmatched=X509_check_host(cert, hostname, strlen(hostname), 0, NULL);
}
else
{
result->is_hostmatched=1;
}
char* oid=ssl_x509_get_extension(cert, NID_certificate_policies);
if(oid)
{
result->is_ev=ssl_x509_is_ev(oid);
}
free(oid);
oid=NULL;
ASN1_OCTET_STRING *sct=NULL;
int crit = 0;
sct = (ASN1_OCTET_STRING*)X509_get_ext_d2i(cert, NID_ct_precert_scts, &crit, NULL);
if(sct)
{
result->is_ct=1;
}
ASN1_STRING_free(sct);
X509_STORE_CTX * ctx = X509_STORE_CTX_new();
pthread_rwlock_rdlock(&(storage->rwlock));
ret = X509_STORE_CTX_init(ctx, storage->effective_store, cert, cert_chain);
assert(ret == 1);
if(!param->no_verify_cn&&!hostname)
{
host_matched=X509_check_host(cert, hostname, strlen(hostname), 0, NULL);
}
else
{
host_matched=1;
}
X509_STORE_CTX_set_verify_cb(ctx, verify_callback);
// SSL_set_ex_data(ssl, SSL_EX_DATA_IDX_VERIFY_PARAM, &(s_stream->up_parts.verify_param));
X509_STORE_CTX_set_ex_data(ctx, SSL_EX_DATA_IDX_VERIFY_PARAM, param);
//If a complete chain can be built and validated this function returns 1, otherwise it return zero or negtive code.
ret = X509_verify_cert(ctx);
err_code=X509_STORE_CTX_get_error(ctx);
if(ret!=1||host_matched!=1)
result->error_code=err_code;
if(ret!=1)
{
subj=ssl_x509_subject(cert);
issuer=ssl_x509_issuer(cert);
if(host_matched!=1)
{
snprintf(reason, n_reason, "%s : subject - %s issuer - %s",
"hostname not matched",
subj,
issuer);
}
else
{
snprintf(reason, n_reason, "%s : subject - %s issuer - %s",
snprintf(reason, n_reason, "%s : subject - %s issuer - %s",
X509_verify_cert_error_string(err_code),
subj,
issuer);
}
free(subj);
free(issuer);
ret=0;