gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

允许设置证书校验选项。

Browse Source
This commit is contained in:
zhengchao
2019-05-14 19:58:23 +08:00
parent 4a67a6b3be
commit f4f7a623a5
6 changed files with 178 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
platform/src/ssl_trusted_cert_storage.cpp
View File

@@ -11,6 +11,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <assert.h>
static int SSL_EX_DATA_IDX_VERIFY_PARAM;
struct ssl_X509_object
{
@@ -183,7 +184,7 @@ struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem
storage->pem_dir=tfe_strdup(pem_dir);
storage->hash_table=_create_mesa_htable();
pthread_rwlock_init(&(storage->rwlock), NULL);
SSL_EX_DATA_IDX_VERIFY_PARAM = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
return storage;
@@ -271,9 +272,59 @@ void ssl_trusted_cert_storage_reset(struct ssl_trusted_cert_storage* storage)
pthread_rwlock_unlock(&(storage->rwlock));
return;
}
int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storage, const SSL * ssl, char* reason, size_t n_reason)
static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
{
int err, ret=0;
SSL* ssl;
struct cert_verify_param* param=NULL;
if(preverify_ok)
{
return 1;
}
err = X509_STORE_CTX_get_error(ctx);
/*
* Retrieve the pointer to the SSL of the connection currently treated
* and the application specific data stored into the SSL object.
*/
ssl = (SSL*)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
param = (struct cert_verify_param*)SSL_get_ex_data(ssl, SSL_EX_DATA_IDX_VERIFY_PARAM);
switch(err)
{
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
if(param->no_verify_issuer)
{
ret=1;
}
break;
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
if(param->no_verify_self_signed)
{
ret=1;
}
break;
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_CERT_HAS_EXPIRED:
if(param->no_verify_expiry_date)
{
ret=1;
}
break;
case X509_V_ERR_UNABLE_TO_GET_CRL:
case X509_V_ERR_DIFFERENT_CRL_SCOPE:
case X509_V_ERR_CRL_HAS_EXPIRED:
ret=1;
break;
default:
ret=0;
break;
}
return ret;
}
int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storage, SSL * ssl, const char* hostname, struct cert_verify_param* param, char* reason, size_t n_reason)
{
int ret = 0, err_code=0;
int ret = 0, err_code=0, host_matched=1;
char *subj=NULL, *issuer=NULL;
STACK_OF(X509) * cert_chain = SSL_get_peer_cert_chain(ssl);
if (cert_chain == NULL)
@@ -281,27 +332,46 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag
// The peer certificate chain is not necessarily available after reusing a session, in which case a NULL pointer is returned.
return 1;
}
X509_STORE_CTX * ctx = X509_STORE_CTX_new();
X509 * cert = sk_X509_value(cert_chain, 0);
SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_callback);
SSL_set_ex_data(ssl, SSL_EX_DATA_IDX_VERIFY_PARAM, param);
X509_STORE_CTX * ctx = X509_STORE_CTX_new();
pthread_rwlock_rdlock(&(storage->rwlock));
ret = X509_STORE_CTX_init(ctx, storage->effective_store, cert, cert_chain);
assert(ret == 1);
if(!param->no_verify_cn&&!hostname)
{
host_matched=X509_check_host(cert, hostname, strlen(hostname), 0, NULL);
}
else
{
host_matched=1;
}
//If a complete chain can be built and validated this function returns 1, otherwise it return zero or negtive code.
ret = X509_verify_cert(ctx);
err_code=X509_STORE_CTX_get_error(ctx);
if(ret!=1 && err_code!=X509_V_ERR_UNABLE_TO_GET_CRL
&& err_code!=X509_V_ERR_DIFFERENT_CRL_SCOPE
&& err_code!=X509_V_ERR_CRL_HAS_EXPIRED)
if(ret!=1||host_matched!=1)
{
subj=ssl_x509_subject(cert);
issuer=ssl_x509_issuer(cert);
snprintf(reason, n_reason, "%s : subject - %s issuer - %s"
, X509_verify_cert_error_string(err_code)
, subj
, issuer);
if(host_matched!=1)
{
snprintf(reason, n_reason, "%s : subject - %s issuer - %s",
"hostname not matched",
subj,
issuer);
}
else
{
snprintf(reason, n_reason, "%s : subject - %s issuer - %s",
X509_verify_cert_error_string(err_code),
subj,
issuer);
}
free(subj);
free(issuer);
ret=0;
@@ -310,8 +380,9 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag
{
ret=1;
}
X509_STORE_CTX_free(ctx);
pthread_rwlock_unlock(&(storage->rwlock));
pthread_rwlock_unlock(&(storage->rwlock));
return ret;
}