diff --git a/conf/tfe/tfe.conf b/conf/tfe/tfe.conf index 3dccb37..fe27597 100644 --- a/conf/tfe/tfe.conf +++ b/conf/tfe/tfe.conf @@ -21,6 +21,7 @@ key_log_file=log/sslkeylog.log no_alpn=0 stek_group_num=4 stek_rotation_time=3600 +service_cache_succ_as_app_not_pinning_cnt=3 [key_keeper] #Mode: debug - generate cert with ca_path, normal - generate cert with cert store diff --git a/platform/include/internal/ssl_service_cache.h b/platform/include/internal/ssl_service_cache.h index 56d2a20..fe6c09a 100644 --- a/platform/include/internal/ssl_service_cache.h +++ b/platform/include/internal/ssl_service_cache.h @@ -18,7 +18,7 @@ struct ssl_service_status }; struct ssl_service_cache; -struct ssl_service_cache* ssl_service_cache_create(unsigned int slot_size, unsigned int expire_seconds, int fail_as_pinning_cnt, int fail_as_proto_err_cnt, int fail_time_win); +struct ssl_service_cache* ssl_service_cache_create(unsigned int slot_size, unsigned int expire_seconds, int fail_as_pinning_cnt, int fail_as_proto_err_cnt, int succ_as_app_not_pinning_cnt, int fail_time_win); void ssl_service_cache_destroy(struct ssl_service_cache* cache); int ssl_service_cache_read(struct ssl_service_cache* svc_cache, const struct ssl_chello* chello, const struct tfe_stream_addr * addr, struct ssl_service_status* result); diff --git a/platform/src/ssl_service_cache.cpp b/platform/src/ssl_service_cache.cpp index f8ae994..3ab0461 100644 --- a/platform/src/ssl_service_cache.cpp +++ b/platform/src/ssl_service_cache.cpp @@ -4,10 +4,6 @@ #include #include -#define FAIL_AS_PINNING_COUNT 4 -#define FAIL_TIME_WINDOW 30 -#define FAIL_AS_PROTO_ERR_COUNT 5 -#define SUCC_AS_APP_NOT_PINNING 3 struct ssl_svc_client_st { time_t last_update_time; @@ -399,7 +395,7 @@ void ssl_service_cache_write(struct ssl_service_cache* svc_cache, const struct s MESA_htable_search_cb(svc_cache->app_st_hash, hash_key, (unsigned int) hash_key_sz, app_st_write_cb, &write_args, &svr_st_cb_ret); } } -struct ssl_service_cache* ssl_service_cache_create(unsigned int slot_size, unsigned int expire_seconds, int fail_as_pinning_cnt, int fail_as_proto_err_cnt, int fail_time_win) +struct ssl_service_cache* ssl_service_cache_create(unsigned int slot_size, unsigned int expire_seconds, int fail_as_pinning_cnt, int fail_as_proto_err_cnt, int succ_as_app_not_pinning_cnt, int fail_time_win) { struct ssl_service_cache * cache = ALLOC(struct ssl_service_cache, 1); unsigned max_num = slot_size * 4; @@ -409,7 +405,7 @@ struct ssl_service_cache* ssl_service_cache_create(unsigned int slot_size, unsig cache->fail_as_cli_pinning_count=fail_as_pinning_cnt; cache->fail_as_proto_err_count=fail_as_proto_err_cnt; cache->fail_time_window=fail_time_win; - cache->succ_as_app_not_pinning_count=SUCC_AS_APP_NOT_PINNING;//TODO: read from profile. + cache->succ_as_app_not_pinning_count = succ_as_app_not_pinning_cnt; void (*free_func[])(void *)={ssl_svc_free_client_st, ssl_svc_free_server_st, ssl_svc_free_app_st}; for(i=0; i<3; i++) { diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp index ab3ba64..c600614 100644 --- a/platform/src/ssl_stream.cpp +++ b/platform/src/ssl_stream.cpp @@ -134,6 +134,7 @@ struct ssl_mgr unsigned int svc_expire_seconds; unsigned int svc_fail_as_pinning_cnt; unsigned int svc_fail_as_proto_err_cnt; + unsigned int svc_succ_as_app_not_pinning_cnt; unsigned int svc_cnt_time_window; struct sess_cache * down_sess_cache; @@ -694,12 +695,15 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section &(mgr->svc_fail_as_pinning_cnt), 4); MESA_load_profile_uint_def(ini_profile, section, "service_cache_fail_as_proto_err_cnt", &(mgr->svc_fail_as_proto_err_cnt), 5); + MESA_load_profile_uint_def(ini_profile, section, "service_cache_succ_as_app_not_pinning_cnt", + &(mgr->svc_succ_as_app_not_pinning_cnt), 3); MESA_load_profile_uint_def(ini_profile, section, "service_cache_fail_time_window", &(mgr->svc_cnt_time_window), 30); mgr->svc_cache=ssl_service_cache_create(mgr->svc_cache_slots, mgr->svc_expire_seconds, mgr->svc_fail_as_pinning_cnt, mgr->svc_fail_as_proto_err_cnt, + mgr->svc_succ_as_app_not_pinning_cnt, mgr->svc_cnt_time_window); mgr->key_keeper = key_keeper_init(ini_profile, "key_keeper", logger);